Fake Amnesty International tool for Pegasus spread malware instead

by Linas Kiguolis - - 2021-10-01

New campaigns spread Sarwent Trojan using advertisements of fake AVPegasus that should find spyware traces and remove them

Site identical to real of Amnesty International Fake Amnesty International tool for Pegasus removal delivers RAT capable of data exfiltration

Fake Amnesty International Antivirus designed to find Pegasus spyware hacks computers and spreads the Trojan.^[1] Fears surrounding the spyware distribution help trojan creators to lure users into clicking the malicious link. Pegasus is the malware used to spy on journalists, government figures, and other activists worldwide.^[2] While advertised as the crime-fighting software, a tool developed by NSO Group is used as a surveillance app against innocent people.^[3]

Real Amnesty International team, Forbidden Stories, and other media outlets reported the use of the Pegasus, and spyware developers denied their findings. Recent investigations show that a fake anti-pegasus tool spreads Sarwent malware that can hide in plain sight and damage the computer significantly. Various flaws get used by the malware, so software developers like Apple patch those vulnerabilities.^[4]

The remote access tool is used to capitalize on the recent Pegasus spyware revelations. The malware looks and behaves like the legitimate anti-malware program created to track any spyware traces and eliminate them. These attacks have been active for more than six months. It is believed that campaigns started back in January, and targets are scattered in various countries worldwide.

Promises to protect against spyware ends with malware delivery

Cisco Talos reported^[5] discovery of the malware campaign impersonating the human rights group Amnesty International. These attackers made the advertising page to make the malicious app look like legitimate software from Amnesty International. Graphical user interface and disguise methods got used to trick people concerned about the Pegasus spyware usage to allow the infection on their device.

Sarwent has a look and feel that could easily be recognized as a regular anti-virus program. It provides the attacker with the means to upload and execute any other malicious tools.

The main targets of the Pegasus spyware include authoritarian governments that focus on keeping tabs on international activists, journalists. The fake websites were discovered and investigated to indicate that Sarwent malware was in place of the AVPegasus tool. Even when the RAT is launched, people get tricked into believing that the tool is a legitimate anti-virus application.

Phishing campaigns or malicious advertisements were not found promoting the fake website and deceiving people. Still, analysis of the domains shows that particular websites got accessed without any search engine involvement. This fact indicates that widespread email campaigns must be involved in the deceiving campaign. Possibly affected countries include Ukraine, Poland, Brazil, Vietnam, Canada, Italy, Spain, Sweden, United Kingdom, and the US.

Sarwent malware functions and possible links to Russia

The remote access trojan can create the type of backdoor directly on the affected system or activate the remote desktop protocol right away. This is an information stealer, but the virus looks and behaves like an anti-virus solution while exfiltrating various types of data from the infected system. A trojan can provide the malicious actor with direct access to the system, so code or malicious tools can be executed.

Researchers strongly believe that the actor behind this campaign is a Russian hacker releasing these campaigns since January 2021. Talos also claims that the same attacker can be linked with other malware campaigns since 2014. It can be an indication that Trojan is much older than believed at first.

It is not clear what are intentions of the actor are. However, goals can be specific given all the circumstances, like the use of a particular organization, Pegasus brand. It is possible that this is the financially motivated actor that uses headlines to gain profit. But the state-supported actor going after targets concerned about the Pegasus threat also can be true.

Defenders and administrators should always be aware of current events, and warn their users and employees of potential spam attacks that could leverage this information.

About the author

Linas Kiguolis - Expert in social media

Linas Kiguolis is one of News Editors and also the Social Media Manager of 2spyware project. He is an Applied Computer Science professional whose expertise in cyber security is a valuable addition to the team.

Contact Linas Kiguolis
About the company Esolutions

References

^ Ravie Lakshmanan. Beware of Fake Amnesty International Antivirus for Pegasus that Hacks PCs with Malware. Thehackernews. Technology and malware reports.
^ Anthony Spadafora. This malware pretends to be Amnesty International protection from Pegasus. Techradar. IT news and reviews.
^ Julie Splinters. Pegasus spyware targeting human rights activists in 45 countries. 2-spyware. Virus removal guides and news.
^ Apple iPhone iOS 14.8 patches security exploit used by Pegasus spyware. Euronews. Biztech news.
^ Vitor Ventura and Arnaud Zobec. A wolf in sheep's clothing: Actors spread malware by leveraging trust in Amnesty International and fear of Pegasus. Talosintelligence. Security research blog.