According to Cisco Talos researchers, “Adversaries have set up a false website that looks like Amnesty International’s — a human rights-focused non-governmental organisation and refers to a promised antivirus programme to protect against the NSO Group’s Pegasus tool. However, the Sarwent malware is installed as a result of the download.”

The Sarwent sample utilised in the low-volume campaign is a heavily customised Delphi variation capable of allowing remote desktop access through VNC or RDP, as well as executing command line or PowerShell commands received from an attacker-controlled domain and sending the results back to the server.

Additionally, researchers confirms that this variant is not a traditional looking information stealer for stealing and exfiltrating the credentials. Instead, sarwent malware looks like a regular antivirus program which can be used by the threat actors for uploading and downloading additional malwares into victim machine.

Source: Cisco

Most affected countries by the Campaign such as the U.K ,the U.S ,Russia , India ,Ukraine , Czech Republic ,Romania and Columbia. There is an unclear idea how the victims visited the phoney Amnesty International website , the cybersecurity firm believed that attacks could be targeted at people looking for security against this threat.

Source: Cisco

Anti Pegasus software is an antivirus tool which have the capabilities to allow the bad actor to gain remote access to the compromised machine and exfiltrate data. Apart from Social Engineering techniques by creating a website that looks identical to Amnesty International ‘s Legitimate portal.

Researchers also believe that Russian-speaking actor based in the country who has been mounting attacks involving the Sarwent backdoor on a variety of victims since at least January 2021, however they are unsure of the intention of the hacker based on the available data during the analysis.

Since then, the NGO has developed a Mobile Verification Toolkit (MVT) to assist people in scanning their iPhone and Android devices for signs of compromise.

Finally the researchers said that , “The campaign targets people who might be concerned that they are targeted by the Pegasus spyware. This targeting raises issues of possible state involvement  but there is insufficient information to make any determination on which state or nation. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access”.

Indicators of Compromise::







–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s