Amnesty International recently released a Pegasus spyware scanner, which appears to have been exploited by malicious agents to install a lesser-known remote access tool called Sarwent.
The malware appears and acts as part of a legitimate antivirus solution designed specifically to scan and remove the Pegasus trace system.
The Sarwent-based attacks have been going on since at least the beginning of the year and have targeted a variety of victim profiles in many countries.
The lure used in previous campaigns is not clear at this time, but researchers at Cisco Talos they found recently a new one attack where Sarwent was delivered through a fake Amnesty International website, which advertises Anti-Pegasus AV.
The hacker made an attempt to make the malware look like a legitimate antivirus by creating a convenient graphical user interface.
Choosing this disguise suggests that the scammer is trying to trick users into trying to protect their devices from Pegasus spyware.
It is not clear how the scammer is attracting visitors to Amnesty International's fake website, but an analysis of the campaign's domains "shows that the initials domain have access to the whole world", Although there is no indication of a large-scale campaign.
According to data from the control panel of a Sarwent Command and Control Server (C2) that was active during the investigation, the malware mainly reached users in the UK.
Investigators believe the attacker came from Russia. They also found a similar backend used since 2014, indicating either that the malware is much older than we initially thought or that someone else was using it before.
Sarwent is written in Delphi and is not often found. It has functions commonly displayed in a remote access tool (RAT), giving the operator access to the infected machine.
Allows direct access to the machine by activating the Remote Desktop Protocol (RDP) or through the system Virtual Network Computing (VNC). However, there are other methods through the power capabilities of PowerShell.
Cisco Talos researchers believe that the graphical user interface that turns Sarwent into an antivirus solution indicates that the malicious agent behind it has access to the source code of the malware.
In addition to making fake copies of Amnesty International's Pegasus scanner, the Sarwent operator also used the following domains to impersonate the organization:
amnestyinternationalantipegasus [.] com
amnestyvspegasus [.] com
antipegasusamnesty [.] com
Based on the data gathered, the researchers are unable to categorize Sarwent's threat factor. At first glance, he seems to be someone who is just looking for easy money. However, some of the findings seem to suggest that his goal is not so much money, mainly due to the low number of victims and the level of adjustment of the campaign.