Fake Amnesty International Antivirus Hacks PCs through Malware
Hacking groups are getting quicker in capitalizing on world events and improving their attack campaigns for the greatest impact. In regard to this, they have been observed imitating Amnesty International to transfer malware that pretends to be security software that safeguards against Pegasus.
Cisco Talos researchers identified that threat actors have set up a deceptive website that looks like the one of Amnesty International. It points towards a promised antivirus tool to defend against the NSO Group’s Pegasus tool. Once downloaded, this installs the Sarwent malware.
The countries that were the biggest victims of the campaign include the U.K., the U.S., Russia, India, Ukraine, Czech Republic, Romania, and Colombia. The reason how the victims are tempted to visit the fake Amnesty International website is still unknown. However, the cybersecurity firm infers that the attacks could be targeted specifically at users who are looking for defense against this threat.
A thorough investigation was conducted in July 2021 that discovered extensive abuse of Pegasus to allow human rights violations by surveilling heads of state, activists, journalists, and lawyers around the world. The NSO also released a Mobile Verification Toolkit to aid people in scanning their iPhone and Android devices to identify compromises.
The Sarwent malware sample used in the campaign is a tailored variant that has been coded in Delphi. It allows remote desktop access and executes command line or PowerShell instructions arriving from a domain controlled by the attacker. The results of these are reverted to the server.
Talos credited a Russian-speaking actor with the infections. The threat actor is known for intensifying attacks related to the Sarwent backdoor from the beginning of this year.
The researcher stated that the campaign victimizes individuals who are anxious that they are targeted by the Pegasus spyware. This targeting raises concerns where there is a possibility of state involvement, but the information in this regard is insufficient.