According to Cisco Talos researchers, “Adversaries have set up a false website that looks like Amnesty International’s — a human rights-focused non-governmental organisation and refers to a promised antivirus programme to protect against the NSO Group’s Pegasus tool. However, the Sarwent malware is installed as a result of the download.”
The Sarwent sample utilised in the low-volume campaign is a heavily customised Delphi variation capable of allowing remote desktop access through VNC or RDP, as well as executing command line or PowerShell commands received from an attacker-controlled domain and sending the results back to the server.
Additionally, researchers confirms that this variant is not a traditional looking information stealer for stealing and exfiltrating the credentials. Instead, sarwent malware looks like a regular antivirus program which can be used by the threat actors for uploading and downloading additional malwares into victim machine.
Most affected countries by the Campaign such as the U.K ,the U.S ,Russia , India ,Ukraine , Czech Republic ,Romania and Columbia. There is an unclear idea how the victims visited the phoney Amnesty International website , the cybersecurity firm believed that attacks could be targeted at people looking for security against this threat.
Anti Pegasus software is an antivirus tool which have the capabilities to allow the bad actor to gain remote access to the compromised machine and exfiltrate data. Apart from Social Engineering techniques by creating a website that looks identical to Amnesty International ‘s Legitimate portal.
Researchers also believe that Russian-speaking actor based in the country who has been mounting attacks involving the Sarwent backdoor on a variety of victims since at least January 2021, however they are unsure of the intention of the hacker based on the available data during the analysis.
Since then, the NGO has developed a Mobile Verification Toolkit (MVT) to assist people in scanning their iPhone and Android devices for signs of compromise.
Finally the researchers said that , “The campaign targets people who might be concerned that they are targeted by the Pegasus spyware. This targeting raises issues of possible state involvement but there is insufficient information to make any determination on which state or nation. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access”.
Indicators of Compromise::