Threat actors are exploiting the reputation and branding of human rights organisation Amnesty International to target its victims with malware masquerading as an anti-spyware remedy.
The little-known Sarwent remote access trojan (Rat) malware is being used against people who are concerned that they may become targets of Pegasus, a supposedly legitimate spyware app developed by Israeli cyber firm NSO Group.
Pegasus has been at the centre of global controversy in recent months after extensive investigations found government customers of NSO were using it to target activists, dissidents, journalists and politicians. It has also been linked to the murder of journalist Jamal Khashoggi by the Saudi Arabian authorities.
Now, Cisco Talos researchers Vitor Ventura and Arnaud Zobec say the threat actors behind Sarwent are taking advantage of the situation in order to compromise their victims.
In this attack, targets are directed to a link to an anti-virus tool from a website masquerading as that of Amnesty International – which played a key role in the recent investigation into Pegasus – which downloads Sarwent to their devices.
The Rat serves mainly as a backdoor and also has the ability to access the remote desktop protocol (RDP) on a victim’s machine, enabling whoever is behind it to access the desktop directly, should it compromise a PC or laptop. It enables attackers to upload and execute additional malicious tools, and can also exfiltrate data.
“We believe this campaign has the potential to infect many users given the recent spotlight on the Pegasus spyware,” said Ventura and Zobec in a disclosure blog.
“In addition to Amnesty International’s report, Apple also had to recently release a security update for iOS that patched a vulnerability that attackers were exploiting to install Pegasus. Many users may be searching for protection against this threat at this time.”
Ventura and Zobec believe the campaign itself to be originating from Russia with a high degree of confidence, but analysis of the domains involved appears to suggest the campaign is not widespread, so there is a certain measure of doubt over the motivation behind it.
“The campaign targets people who might be concerned that they are targeted by the Pegasus spyware,” they said. “This targeting raises issues of possible state involvement, but there is insufficient information available to Talos to make any determination on which state or nation. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access.”
Regardless of which group is behind this campaign, it is clearly successfully leveraging current events as a lure – a common tactic, as the Covid-19 pandemic has demonstrated. Security teams and administrators are best advised to try to keep abreast of the news cycle in order to warn users about such lures.
“Pegasus continues to intrude on people’s lives and attack devices in what seems like an endless game of cat and mouse,” said ESET’s Jake Moore.
“Targeting people’s fear in the spyware is a tactic used by threat actors in going after those most at risk – but in fact, it is cleverly homing in on their prey.
“It can often be very difficult to spot whether or not a webpage is real quickly, but people must always remain on guard and carry out due diligence before it is too late. People should always be cautious of any software and carry out research where possible. It is also important to avoid downloading and installing software from unknown sources online.”
