Posted on Leave a comment

Hackers Spreading Malware By Misusing Trust Of Amnesty International.

According to Cisco Talos researchers, “Adversaries have set up a false website that looks like Amnesty International’s — a human rights-focused non-governmental organisation and refers to a promised antivirus programme to protect against the NSO Group’s Pegasus tool. However, the Sarwent malware is installed as a result of the download.”

The Sarwent sample utilised in the low-volume campaign is a heavily customised Delphi variation capable of allowing remote desktop access through VNC or RDP, as well as executing command line or PowerShell commands received from an attacker-controlled domain and sending the results back to the server.

Additionally, researchers confirms that this variant is not a traditional looking information stealer for stealing and exfiltrating the credentials. Instead, sarwent malware looks like a regular antivirus program which can be used by the threat actors for uploading and downloading additional malwares into victim machine.

Source: Cisco

Most affected countries by the Campaign such as the U.K ,the U.S ,Russia , India ,Ukraine , Czech Republic ,Romania and Columbia. There is an unclear idea how the victims visited the phoney Amnesty International website , the cybersecurity firm believed that attacks could be targeted at people looking for security against this threat.

Source: Cisco

Anti Pegasus software is an antivirus tool which have the capabilities to allow the bad actor to gain remote access to the compromised machine and exfiltrate data. Apart from Social Engineering techniques by creating a website that looks identical to Amnesty International ‘s Legitimate portal.

Researchers also believe that Russian-speaking actor based in the country who has been mounting attacks involving the Sarwent backdoor on a variety of victims since at least January 2021, however they are unsure of the intention of the hacker based on the available data during the analysis.

Since then, the NGO has developed a Mobile Verification Toolkit (MVT) to assist people in scanning their iPhone and Android devices for signs of compromise.

Finally the researchers said that , “The campaign targets people who might be concerned that they are targeted by the Pegasus spyware. This targeting raises issues of possible state involvement  but there is insufficient information to make any determination on which state or nation. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access”.

Indicators of Compromise::

Hostname/Domains

amnestyinternationalantipegasus[.]com
medicalsystemworld[.]site
alwaysstriveandprosper[.]space
amnestyvspegasus[.]com
antipegasusamnesty[.]com
mementomoriforlife[.]ru

IPs

87[.]249[.]53[.]124
185[.]215[.]113[.]67
194[.]9[.]71[.]129

Hashes

59a447749878aec9ed0a9a71332b8a3d50eafee21de446b70a370786d548ee05
5df8a6f08f0eeb1b05f949328674444778c4c078f03e35c0efff268c58dc6396

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply