HomesecurityAmnesty International's fake Pegasus scanner infects Windows devices

Amnesty International's fake Pegasus scanner infects Windows devices

Amnesty International recently released a Pegasus spyware scanner, which appears to have been exploited by malicious agents to install a lesser-known remote access tool called Sarwent.


See also: Pegasus spyware strikes again: Update iPhone, Mac, Apple Watch!

The malware appears and acts as part of a legitimate antivirus solution designed specifically to scan and remove the Pegasus trace system.

The Sarwent-based attacks have been going on since at least the beginning of the year and have targeted a variety of victim profiles in many countries.

The lure used in previous campaigns is not clear at this time, but researchers at Cisco Talos they found recently a new one attack where Sarwent was delivered through a fake Amnesty International website, which advertises Anti-Pegasus AV.

The hacker made an attempt to make the malware look like a legitimate antivirus by creating a convenient graphical user interface.

Choosing this disguise suggests that the scammer is trying to trick users into trying to protect their devices from Pegasus spyware.

It is not clear how the scammer is attracting visitors to Amnesty International's fake website, but an analysis of the campaign's domains "shows that the initials domain have access to the whole world", Although there is no indication of a large-scale campaign.

See also: LockBit ransomware: Encrypts Windows domains using group policies

According to data from the control panel of a Sarwent Command and Control Server (C2) that was active during the investigation, the malware mainly reached users in the UK.

Amnesty International

Investigators believe the attacker came from Russia. They also found a similar backend used since 2014, indicating either that the malware is much older than we initially thought or that someone else was using it before.

Sarwent is written in Delphi and is not often found. It has functions commonly displayed in a remote access tool (RAT), giving the operator access to the infected machine.

Allows direct access to the machine by activating the Remote Desktop Protocol (RDP) or through the system Virtual Network Computing (VNC). However, there are other methods through the power capabilities of PowerShell.

Cisco Talos researchers believe that the graphical user interface that turns Sarwent into an antivirus solution indicates that the malicious agent behind it has access to the source code of the malware.

See also: Malware has been discovered that runs natively on the M1 chip

In addition to making fake copies of Amnesty International's Pegasus scanner, the Sarwent operator also used the following domains to impersonate the organization:

amnestyinternationalantipegasus [.] com

amnestyvspegasus [.] com

antipegasusamnesty [.] com

Based on the data gathered, the researchers are unable to categorize Sarwent's threat factor. At first glance, he seems to be someone who is just looking for easy money. However, some of the findings seem to suggest that his goal is not so much money, mainly due to the low number of victims and the level of adjustment of the campaign.

Absent Mia
Being your self, in a world that constantly tries to change you, is your greatest achievement