Cisco Talos detects an early-stage campaign targeting low-information users.
A malware vendor has created a fake website posing as Amnesty International to provide gullible users with software that pretends to protect them from NSO Group’s Pegasus malware. In reality, it is a remote access Trojan (RAT).
This development exploits the fears about Pegasus malware and picks up the usual development of malware download lures (which are usually based on current news) while choosing a particularly nasty vector to spy on those who seek protection against advanced threats.
The fake Amnesty website looks very similar to the real one and offers users to download “AntiPegasus” software to a Windows desktop. The malware (for that is what it is) “scans” the user’s computer, while in reality it injects a Trojan. The malicious application itself is superficially disguised to fool non-technical users into thinking they have downloaded safe software.
Cisco Talos discovered the fake website, analyzed the download, and determined that it was the Sarwent RAT.
“Sarwent has the usual capabilities of a remote access tool – mainly serving as a backdoor on the victim computer – and can also enable the remote desktop protocol on the victim computer, potentially allowing the attacker to directly access the desktop,” Talos researchers Vitor Ventura and Arnaud Zobec said.
Pegasus is an iPhone exploit suite developed by Israeli malware vendor NSO Group. At least one of the vulnerabilities exploited by NSO was patched by Apple in September, as it was a zero-click vulnerability in iMessage.
The site appears to have been discovered at a very early stage, as Talos notes that their email telemetry has not picked it up. There is also no search engine bait. The domains used to lure users into downloading RAT range from the UK to the US, Russia, Vietnam, Argentina and Slovakia.