Amnesty International Pwned In Malware Campaign

New intelligence from Cisco Talos shows Amnesty International’s branding and profile is being used as part of a new malware campaign titled “Sarwent” that exploits people’s fears of the notorious Pegasus spyware app:

Adversaries have set up a phony website that looks like Amnesty International’s — a human rights-focused non-governmental organization — and points to a promised anti-virus tool to protect against the NSO Group’s Pegasus tool. However, the download actually installs the little-known Sarwent malware. 

Sarwent contains the usual abilities of a remote access tool (RAT) — mainly serving as a backdoor on the victim machine — and can also activate the remote desktop protocol on the victim machine, potentially allowing the adversary to access the desktop directly. We believe this campaign has the potential to infect many users given the recent spotlight on the Pegasus spyware. In addition to Amnesty International’s report, Apple also had to recently release a security update for iOS that patched a vulnerability attackers were exploiting to install Pegasus. Many users may be searching for protection against this threat at this time. 

The malicious software being deployed is not a standard information stealer that, once executed, steals credentials and exfiltrates them immediately. In this case, Sarwent has a look and feel that could easily be recognized as a regular anti-virus program. It provides the attacker with the means to upload and execute any other malicious tools. Likewise, it can exfiltrate any kind of data from the victim’s computer. 

The campaign targets people who might be concerned that they are targeted by the Pegasus spyware. This targeting raises issues of possible state involvement, but there is insufficient information available to Talos to make any determination on which state or nation. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access.

This is another one of these malware campaign that is far from trivial. Saumitra Das, CTO and Cofounder Blue Hexagon had this to say about this campaign:

     “Although technically Sarwent is not as sophisticated as Pegasus; both Sarwent and Pegaus are examples of how the commercial surveillance industry is growing, and the myriad of tactics that spyware actors will use to ensure the targeting of individuals.”

     “New legislation is needed to ban not only the use but purchase of surveillance-ware and targeting of individuals. Despite the fact there is a lot of noise being made about Pegasus, very little light has been shed on the organizations, countries and individuals who are actually purchasing and using such software to target individuals.”

Because you can expect to see more campaigns like this in the future, you need to keep your wits about you to ensure that you don’t become a victim.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: