Amnesty International’s fake Pegasus scanner used to infect Windows
Threat actors are trying to take advantage of Amnesty International’s recent revelations about Pegasus spyware to ditch a lesser-known remote access tool called Sarwent.
The malware looks and acts as a legitimate anti-virus solution specially created to scan the system for traces of Pegasus traces and remove them.
Antivirus look with a RAT bite
The Sarwent-based attacks have been ongoing for at least the beginning of the year, in January, and have targeted various victim profiles in several countries.
The bait used in previous campaigns is unclear at this time, but researchers at Cisco Talos recently spotted a new attack where Sarwent was delivered via a fake Amnesty International website advertising Anti- Pegasus AV.
The threat actor has made an effort to make the malware look like legitimate antivirus by creating an appropriate graphical user interface.
The choice of this disguise indicates that the actor is trying to deceive users concerned about Pegasus spyware infecting their devices.
It is not known how the actor attracts visitors to Amnesty International’s bogus website, but an analysis of the domains in this campaign “shows that the original domains are accessible worldwide”, although there is no have no indication of a large-scale campaign.
“Looking at the C2 [command and control] domain volume, we can see a much narrower distribution by country, with even lower volume, ”the researchers note in a Today report.
Based on data from the administration panel of a Sarwent Command and Control (C2) server active during the investigation, the malware reached most users in the UK
The researchers assess with great confidence that a Russian-speaking individual is responsible for the recent Sarwent attacks. They also found a similar backend in use since 2014, suggesting either that the malware is much older than initially thought, or that a different player has used it before.
Sarwent is written in Delphi and it is not a frequent encounter in the wild. It includes functions generally seen in a remote access tool (RAT), allowing its operator to access the infected machine.
It allows direct access to the machine by activating the Remote Desktop Protocol (RDP) or via the Virtual Network Computing (VNC) system. However, other methods exist through its shell and PowerShell execution capabilities.
Cisco Talos researchers believe that the graphical user interface disguising Sarwent as an antivirus solution indicates that the threat actor behind it has access to the source code of the malware.
In addition to creating fake copies for Amnesty International’s website, the Sarwent operator also registered the following domains to impersonate the organization:
- international anti-ipegasus amnesty[.]com
Based on the evidence gathered, researchers are unable to categorize the threat actor Sarwent. On the surface they seem like someone looking for easy money
However, some of the findings seem to suggest a more advanced adversary who has no financial motivation. Among the clues to support this theory are the low number of victims and the level of personalization of the campaign.
Another clue refers to domain registration details (name, email addresses, postal addresses) which appear to point to the malware operator. The provision of this information may be intentional, with the aim of confusing investigators.