The download is actually a Trojan – so stay away!
Cisco Talos detects an early-stage campaign targeting low-information users.
A malware vendor has created a fake website posing as Amnesty International to provide gullible users with software that pretends to protect them from NSO Group’s Pegasus malware. In reality, it is a remote access Trojan (RAT).
This development exploits the fears about Pegasus malware and picks up the usual development of malware download lures (which are usually based on current news) while choosing a particularly nasty vector to spy on those who seek protection against advanced threats.
The fake Amnesty website looks very similar to the real one and offers users to download “AntiPegasus” software to a Windows desktop. The malware (for that is what it is) “scans” the user’s computer, while in reality it injects a Trojan. The malicious application itself is superficially disguised to fool non-technical users into thinking they have downloaded safe software.
Cisco Talos discovered the fake website, analyzed the download, and determined that it was the Sarwent RAT.
“Sarwent has the usual capabilities of a remote access tool – mainly serving as a backdoor on the victim computer – and can also enable the remote desktop protocol on the victim computer, potentially allowing the attacker to directly access the desktop,” Talos researchers Vitor Ventura and Arnaud Zobec said.
Pegasus is an iPhone exploit suite developed by Israeli malware vendor NSO Group. At least one of the vulnerabilities exploited by NSO was patched by Apple in September, as it was a zero-click vulnerability in iMessage.
The site appears to have been discovered at a very early stage, as Talos notes that their email telemetry has not picked it up. There is also no search engine bait. The domains used to lure users into downloading RAT range from the UK to the US, Russia, Vietnam, Argentina and Slovakia.
- Ransomware criminal: Yes, what I do is bad. No, I don’t care. Yes, security experts have their mouths full and no pants on
- Attacks on Remote Desktop Protocol endpoints have exploded this year, warns latest ESET Threat Report
- Don’t look a GriftHorse in the mouth: Trojan tramples 10 million Android devices
- Kaspersky links new Tomiris malware to Nobelium group
“Cisco Talos has a high probability that the actor in this case is a Russian resident who has been conducting Sarwent-based attacks since at least January 2021, covering a wide range of victim profiles,” the company said.
The security firm believes Sarwent dates back to 2014 – quite old by malware standards.
The use of fake domains and Trojanized downloads to spread malware is almost as old as malware itself. Fake software activation codes are a perennial favorite, and state-sponsored APTs have used GDPR decoys with varying degrees of success over the past four or five years.
On a much larger scale, files released by WikiLeaks in 2017 appeared to show that the CIA had written code to impersonate Kaspersky Labs to make it easier to siphon sensitive data from its targets.
Amnesty International was contacted for comment. The organization has spoken out about NSO Group’s supply of malware and hacking tools to questionable governments, as have tech-focused organizations such as Canada’s Citizen Lab and the U.K.’s Privacy International.
