Google’s Threat Analysis Group (TAG) has found ties between Spanish software firm Variston IT and Heliconia, a set of hacking tools that preys on flaws in Microsoft Defender, Chrome and Firefox.
TAG monitors hundreds of firms that provide surveillance tools for governments to monitor dissidents, reporters and political rivals. The goal is to protect Google customers from state-sponsored cyberattacks.
The tech giant asserts that Spanish software business Variston IT is likely one of these firms. In a recent report, TAG indicates that Variston IT is tied to Heliconia, a set of hacking tools that exploits vulnerabilities in Microsoft Defender, Chrome and Firefox.
TAG revealed the conclusion in a report on Wednesday. “Heliconia provides all the tools necessary to deploy a payload to a target device”, Google said. TAG investigated the hacking toolset after being tipped by an anonymous source.
During the investigation, the team found indications of ties between Heliconia and Variston IT. The Spanish firm describes itself as a provider of specialized security solutions.
Each component of Heliconia focuses on a particular security vulnerability in software running on targets’ devices. Components include:
- Heliconia Noise — a web toolset that can be employed to launch an attack through a Chrome renderer flaw and escape the Chrome sandbox to install agents on the target device.
- Heliconia Soft — a toolset that distributes a PDF through the Windows Defender vulnerability identified as CVE-2021-42298.
- Heliconia Files — a collection of Firefox exploits discovered for both Linux and Windows.
Heliconia Noise and Heliconia Soft ultimately install an agent dubbed ‘agent_simple’ on infected systems.
Interestingly enough, a sample of the toolset examined by Google includes a fake agent that executes and quits without running any harmful code.
Google assumes that the toolset’s clients either supply their own agents or that the agent is part of a different project.