Threat Analysis Group (TAG) has been tracking the activities of commercial spyware vendors for years, using our research to improve the safety and security of Google’s products and share intelligence with our industry peers. TAG’s research underscores that the commercial surveillance industry is thriving and has expanded significantly in recent years, creating risk for Internet users around the globe. Commercial spyware puts advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition and dissidents. Google and TAG are committed to disrupting these threats, protecting users, and raising awareness of the risks posed by the growing commercial spyware industry.

Continuing this work, today, we’re sharing findings on an exploitation framework with likely ties to Variston IT, a company in Barcelona, Spain that claims to be a provider of custom security solutions. Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device. Google, Microsoft and Mozilla fixed the affected vulnerabilities in 2021 and early 2022. While we have not detected active exploitation, based on the research below, it appears likely these were utilized as zero-days in the wild. TAG has created detections in Safe Browsing to warn users when they attempt to navigate to dangerous sites or download dangerous files. To ensure full protection against Heliconia and other exploits, it’s essential to keep Chrome and other software fully up-to-date.

TAG became aware of the Heliconia framework when Google received an anonymous submission to the Chrome bug reporting program. The submitter filed three bugs, each with instructions and an archive that contained source code. They used unique names in the bug reports including, “Heliconia Noise,” “Heliconia Soft” and “Files.” TAG analyzed the submissions and found they contained frameworks for deploying exploits in the wild and a script in the source code included clues pointing to the possible developer of the exploitation frameworks, Variston IT.

The exploitation frameworks, listed below, included mature source code capable of deploying exploits for Chrome, Windows Defender and Firefox. Although the vulnerabilities are now patched, we assess it is likely the exploits were used as 0-days before they were fixed.

Below, we share our findings on the exploitation frameworks and how they work. This analysis was done in collaboration with our colleagues, Ivan Fratric and Maddie Stone from Project Zero, and Stephen Röttger from the V8 Security Team.

Heliconia Noise is a web framework for deploying a Chrome renderer exploit, followed by a Chrome sandbox escape and agent installation. A manifest file in the source code provides a product description:

The Chrome renderer exploit supports Chrome versions 90.0.4430.72 (April 2021) to 91.0.4472.106 (June 2021). It takes advantage of a V8 deoptimizer bug fixed in August 2021. As is currently normal for internally found Chrome bugs, no CVE was assigned.

The source code contains references to a sandbox escape called chrome-sbx-gen. This component was maintained in a separate Git submodule, and was not present in the obtained source code.

To obfuscate the JavaScript code, the framework uses minobf, likely a custom tool that was also not included in the source code.

Heliconia Noise includes a pre-commit cleaning script that leaks the name of the company that likely develops this project, Variston IT. The script, shown below, checks that binaries produced by the framework do not contain sensitive strings such as “Variston,” developer aliases or server names. Variston Information Technology is a small company based in Barcelona that describes itself as offering “tailor made Information Security Solutions.”