Hackers Impersonate Amnesty International to Spread MalwareSarwent Malware Can Execute Remote Tasks
Fraudsters are impersonating Amnesty International by building a fake site to distribute malware purporting to be an antivirus tool to protect against the NSO Group's Pegasus tool, according to researchers at Cisco Talos.
Cisco Talos researchers discovered that the threat actors - instead of delivering a real antivirus tool – send a fake that actually downloads and installs the Sarwent malware, which contains the usual abilities of a remote access tool, serving as a backdoor on the victim machine.
The malware has several means of executing remote tasks, including remote desktop protocol and Virtual Network Computing, despite the malware having shell and PowerShell execution capabilities.
"We believe this campaign has the potential to infect many users given the recent spotlight on the Pegasus spyware," researchers note. "In addition to Amnesty International's report, Apple also had to recently release a security update for iOS that patched a vulnerability attackers were exploiting to install Pegasus. Many users may be searching for protection against this threat at this time." (see: Apple Fixes Zero-Day Flaws Used to Target Activist).
Amnesty International recently released a groundbreaking report on the widespread use of Pegasus spyware by governments to spy on dissidents, journalists and activists. NSO Group, however, maintained that the software is only used for legitimate and authorized law enforcement activities, which include combating crime and terrorism.
A spokesperson for Amnesty International was not immediately available to comment.
Cisco Talos says the threat actors appear to be developing a fake site that is almost identical to Amnesty International's legitimate site. The original site has a white background behind the menu, however, while the fake site has a transparent background.
The website controlled by the attacker advertises the "Amnesty Anti Pegasus" software in its homepage. The malicious software, dubbed "AVPegasus" by the threat actors, is not only a standard information stealer, but upon execution, it steals credentials and exfiltrates them immediately.
"In this case, Sarwent has a look and feel that could easily be recognized as a regular antivirus program. It provides the attacker with the means to upload and execute any other malicious tools. Likewise, it can exfiltrate any kind of data from the victim's computer," researchers note.
The campaign focuses on people who are concerned that they have been targeted by the Pegasus spyware. Researchers assess the threat actors to be a possible nation-state attacker.
"This targeting raises issues of possible state involvement, but there is insufficient information available to Talos to make any determination on which state or nation. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access," researchers note.
Researchers at Cisco Talos believe with high confidence that the threat actor here is a Russian speaker located in Russia who has been running Sarwent-based attacks since at least January 2021. Researchers in previous campaigns found victims in several countries including, but not limited to, Colombia, India, the United States and Germany.
The researchers note, however, that they were unable to identify the kind of lures used in the previous campaigns.
"Talos assesses with moderate confidence that this actor has been using the Sarwent malware or another one with a similar backend, since 2014, which makes this malware much older than originally expected. The other possibility is that the threat actor has been using malware previously used by another actor," the researchers note.
They say they have not seen a malicious advertisement or phishing campaign to promote the fake site and have no information currently on how the actor intends to attract targets to the fraudulent website they are using to distribute the malware.
Researchers analyzed the domains involved and found that they are being accessed worldwide, without search engine matches or email telemetry that indicates a widespread email campaign.
Looking at the command-and-control domains, however, the researchers were able to narrow down the countries of distribution. During their investigation of active C2, the countries affected are the United Kingdom, the United States, Russia, India, Ukraine, the Czech Republic, Romania and Colombia.
"We remain uncertain about the intentions of the actor. The use of Amnesty International's name, an organization whose work often puts it at odds with governments around the world, as well as the Pegasus brand, a malware that has been used to target dissidents and journalists on behalf of governments, certainly raises concerns about who exactly is being targeted and why," the researchers note.
The researchers were unable to find any other data to make clear whether this is a financially motivated actor using headlines to gain new access or a state-supported actor going after targets who are rightfully concerned about the threat Pegasus presents to them.
They claim the domains amnestyinternationalantipegasus[.]com, amnestyvspegasus[.]com and antipegasusamnesty[.]com were used to lure victims into downloading the malware. "These domains were registered on Sept. 2, 2021, and the first two hosted on the same IP address," researchers say.
Two of the domains associated in the campaign have their contact information anonymized. "Amnestyinternationalantipegasus[.]com is registered under the name "Evgen Tarasevich '' with the email vitapruneaummi51@gmail[.]com, antipegasusamnesty[.]com however is registered under the name Vladislav Syhomlin with the email address vladmakop@rambler[.]ru in both cases the domains have addresses in Kiev, Ukraine," the researchers note.