Hackers have impersonated human rights organization, Amnesty International, to distribute malware that purports to be security software designed to safeguard against NSO Group’s Pegasus surveillanceware.
Through a fake site, hackers posed their malware as a legitimate antivirus tool that promises to protect against the Pegasus spyware, duping many to download and install the Sarwent malware. The fake tool serves as a backdoor to the victim’s machine and has several means of executing remote tasks, including remote desktop protocol and Virtual Network Computing according to researchers at Cisco Talos.
Cisco Talos said that the fake site developed is almost identical to Amnesty International’s legitimate site. The only difference that can be seen is that the original site has a white background behind the menu, while the fake site has a transparent background.
The malicious software, dubbed “AVPegasus” by the hackers and featured on their homepage, steals information and credentials and exfiltrates them immediately upon execution.
“Sarwent has a look and feel that could easily be recognised as a regular antivirus program. It provides the attacker with the means to upload and execute any other malicious tools. Likewise, it can exfiltrate any kind of data from the victim’s computer,” researchers note.
Specified targeting
Researchers are assessing whether the hackers could potentially be nation-state attackers. “This targeting raises issues of possible state involvement, but there is insufficient information available to Talos to make any determination on which state or nation. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access,” according to researchers.
While it’s unclear as to how the victims are lured into visiting the fake Amnesty International website, the cybersecurity firm surmised the attacks could be aimed at users who may be specifically searching for protection against this threat as it was Amnesty that released a report on how the NSO Group’s Pegasus spyware was used to target international journalists and activists.
“We remain uncertain about the intentions of the actor. The use of Amnesty International’s name, an organization whose work often puts it at odds with governments around the world, as well as the Pegasus brand, a malware that has been used to target dissidents and journalists on behalf of governments, certainly raises concerns about who exactly is being targeted and why,” the researcher added.
Furthermore, the researchers were unable to determine whether this attack was financially motivated or whether the hackers were targeting those concerned about the threat Pegasus presents to them.
The hack comes on the tails of an explosive investigation in July 2021 that revealed widespread abuse of the Israeli company’s Pegasus “military-grade spyware” to facilitate human rights violations by surveilling heads of state, activists, journalists, and lawyers around the world.
Russian group behind the threat
Researchers at Cisco Talos believe with high confidence that the hackers behind the attack are Russian-speaking, located in Russia and have been running similar Sarwent-based attacks since at least January 2021.
“Talos assesses with moderate confidence that this actor has been using the Sarwent malware or another one with a similar backend, since 2014, which makes this malware much older than originally expected. The other possibility is that the threat actor has been using malware previously used by another actor,” the researchers note.
Researchers in previous campaigns found victims in several countries including India, Colombia, the United States and Germany.
Investigations into domains continue
Researchers found that the domains involved were accessed worldwide, without search engine matches or the indication of a widespread email campaign.
During their investigation, researchers were able to narrow down the countries of distribution. The countries affected are the United Kingdom, the United States, Russia, India, Ukraine, the Czech Republic, Romania and Colombia.
Investigation shows that two of the domains used to lure victims into downloading the malware have their contact information anonymized. “Amnestyinternationalantipegasus[.]com is registered under the name “Evgen Tarasevich ” with the email vitapruneaummi51@gmail[.]com, antipegasusamnesty[.]com however is registered under the name Vladislav Syhomlin with the email address vladmakop@rambler[.]ru in both cases the domains have addresses in Kiev, Ukraine. These domains were registered on Sept. 2, 2021, and the first two hosted on the same IP address,” researchers say.
The NGO has since also released a Mobile Verification Toolkit (MVT) to help individuals scan their iPhone and Android devices for evidence of compromise.
