The Google Threat Analysis group is reporting that an exploitation framework making use of multiple zero-days was sold by a Spanish firm for years, and it is unknown exactly who might have used the spyware.
The vulnerability window appears to have been from about late 2018 through 2021, though specific dates have not been pinned down. The exploitation framework included scripts to give an attacker full access to a target system via Chrome, Firefox or Windows Defender.
Exploitation framework tied to “Variston IT,” company claims it is not responsible
The company that Google researchers have connected to the spyware does not advertise it publicly, and says that it is not responsible. But there is evidence of its involvement in the exploitation framework code, including signatures containing the company name. If the company was involved, it is unclear who its customers were. However, it does not offer the usual public assurances of only working with legitimate law enforcement agencies that most spyware providers promise.
The spyware bears at least some similarity to the infamous Pegasus, which was able to compromise iOS devices without the user even opening or clicking on a malicious message. This exploitation framework leveraged a bug in Windows Defender (now patched) that allowed it to break containment when it was scanned for security threats upon receipt by email or pre-download from the web.
That was not the only means it had of compromising targets, however. It also had additional exploits for the Chrome and Firefox browsers, and in the case of Firefox it was able to attack Linux systems as well as Windows. The robustness of the exploitation framework highlights how active the commercial spyware market remains, even as NSO Group has been sanctioned and pushed close to bankruptcy due to negative press.
Exploitation framework thought to be viable for at least two years
Google, Mozilla and Microsoft have all patched out the vulnerabilities that the spyware exploited at this point, but the issues seemed to crop up at different times and were not all patched at the same time.
The security patching was done during 2021 and in early 2022. The first component of the spyware to emerge was likely the Firefox exploit, which began with version 64 of the browser (released in late 2018) and persisted to version 68 (in mid-2019). It is unclear when the Windows and Chrome vulnerabilities first popped up, but look to have not been addressed until at least some point in 2021. An anonymous tip to the Chrome bug bounty program put Google on the trail of the entire exploitation framework.
The Google researchers say that they have seen no direct evidence of exploitation in the wild, but with little knowledge about who it was distributed to it is difficult to tell where or when it might have been used. If the IT firm was indeed selling the spyware while also trying to conceal its existence, it is a reasonable bet that unsavory customers were involved.