Fake Amnesty International Antivirus for Pegasus can hack PCs with malware, just goes to show hackers are improvising by keeping themselves updated with currency world events.
Cisco Talos researchers in a blog post said, “Adversaries have set up a phony website that looks like Amnesty International’s — a human rights-focused non-governmental organization — and points to a promised antivirus tool to protect against the NSO Group’s Pegasus tool. However, the download actually installs the little-known Sarwent malware.”
It is not clear how the hackers manage to lure the victims into visiting the fake Amnesty International website. Countries such as the UK, US, Russia, India, Ukraine, Czech Republic, Romania, and Colombia have been affected by the campaign. According to Cisco Talos, the attacks could be aimed at users who may be specifically searching for protection against this threat.Pegasus, military-grade spyware developed by an Israeli company to facilitate human rights violations by spying on heads of state, activists, journalists, and lawyers across the world. To help individuals combat this, the NGO has released a Mobile Verification Toolkit(MVT) to scan their iPhone and Android devices for traces of compromise.
The bad actors have designed a rogue website along with the use of social engineering tricks. The rogue website looks identical to Amnesty International’s legit site, where the bad actors lure the victims into downloading an “Amnesty Anti Pegasus Software” disguised as an antivirus tool with capabilities that allow them to remotely compromise machines and exfiltrate sensitive information, such as login credentials.
According to the researchers, the Sarwent sample used in the low volume campaign is a highly customized variant coded in Delphi. It is capable of allowing remote desktop access through VNC or RDP and executing command line or PowerShell instructions received from an attacker-controlled domain. The results of which are sent back to the server.Talos confirmed the findings to be familiar to Russian-speaking actor who had been using the Sarwent malware since as early as 2014. “This access is especially interesting given that we were unable to find anyone selling access or builders for this malware.”
“The campaign targets people who might be concerned that they are targeted by the Pegasus spyware,” the researchers said. “This targeting raises issues of possible state involvement, but there is insufficient information […] to make any determination on which state or nation. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access.”