Hackers are pretending to be human rights organization Amnesty International to target users with a fake anti-spyware product in a new malware campaign.
Victims were duped into downloading malware they thought was protection against NSO Group’s Pegasus spyware, according to security researchers at Cisco Talos.
Amnesty International recently published a report on the widespread use of Pegasus to target international journalists and activists. Hackers capitalized on this by setting up a fake website that looked like Amnesty International's and linked to an antivirus tool to protect against Pegasus. However, the download installs the little-known Sarwent malware.
Cisco Talos researchers Vitor Ventura and Arnaud Zobec said that Salwent, a remote access tool (RAT), opens a backdoor on the victim machine. It can also activate the remote desktop protocol on the victim machine, potentially allowing the adversary to access the desktop directly.
“We believe this campaign has the potential to infect many users given the recent spotlight on the Pegasus spyware. In addition to Amnesty International's report, Apple recently released a security update for iOS that patched a vulnerability attackers were exploiting to install Pegasus. Many users may be searching for protection against this threat at this time,” the researchers said.
Researchers were highly confident the hackers behind the campaign are Russian and have been running Sarwent-based attacks on a variety of victims since January 2021. They also said they were uncertain about the actor’s intentions.
Eight steps to fight ransomware
Insights into how you can protect yourself from this ever increasing threat
“The use of Amnesty International's name, an organization whose work often puts it at odds with governments around the world, as well as the Pegasus brand, a malware that has been used to target dissidents and journalists on behalf of governments, certainly raises concerns about who exactly is being targeted and why,” said researchers.
Investigations failed to find supporting data to make clear whether this is a financially motivated actor using headlines to gain new access, or a state-supported actor going after targets who are rightfully concerned about the threat Pegasus presents to them.
Researchers concluded that while it may seem like an actor trying to gather some easy-to-monetize information, some aspects, such as the level of customization with the RAT, intentionally misleading information, and the low volume of targets, indicate this may be a more advanced actor without financial motivation.
