Hackers are pretending to be human rights organization Amnesty International to target users with a fake anti-spyware product in a new malware campaign.
Victims were duped into downloading malware they thought was protection against NSO Group’s Pegasus spyware, according to security researchers at Cisco Talos.
Amnesty International recently published a report on the widespread use of Pegasus to target international journalists and activists. Hackers capitalized on this by setting up a fake website that looked like Amnesty International's and linked to an antivirus tool to protect against Pegasus. However, the download installs the little-known Sarwent malware.
Cisco Talos researchers Vitor Ventura and Arnaud Zobec said that Salwent, a remote access tool (RAT), opens a backdoor on the victim machine. It can also activate the remote desktop protocol on the victim machine, potentially allowing the adversary to access the desktop directly.
“We believe this campaign has the potential to infect many users given the recent spotlight on the Pegasus spyware. In addition to Amnesty International's report, Apple recently released a security update for iOS that patched a vulnerability attackers were exploiting to install Pegasus. Many users may be searching for protection against this threat at this time,” the researchers said.
Researchers were highly confident the hackers behind the campaign are Russian and have been running Sarwent-based attacks on a variety of victims since January 2021. They also said they were uncertain about the actor’s intentions.
RELATED RESOURCE
Eight steps to fight ransomware
Insights into how you can protect yourself from this ever increasing threat
“The use of Amnesty International's name, an organization whose work often puts it at odds with governments around the world, as well as the Pegasus brand, a malware that has been used to target dissidents and journalists on behalf of governments, certainly raises concerns about who exactly is being targeted and why,” said researchers.
Investigations failed to find supporting data to make clear whether this is a financially motivated actor using headlines to gain new access, or a state-supported actor going after targets who are rightfully concerned about the threat Pegasus presents to them.
Researchers concluded that while it may seem like an actor trying to gather some easy-to-monetize information, some aspects, such as the level of customization with the RAT, intentionally misleading information, and the low volume of targets, indicate this may be a more advanced actor without financial motivation.
-
What is polymorphic malware?Explainer Polymorphic malware constantly changes its code to avoid detection, making it a top cybersecurity threat that demands advanced, behavior-based defenses
-
Outgoing Kaseya CEO teases "this is just the beginning" for the companyOpinion We spoke to Fred Voccola who remains a key figurehead at the firm as it enters its next chapter...
-
Greek intelligence allegedly uses Predator spyware to wiretap Facebook security stafferNews The employee’s device was infected through a link pretending to confirm a vaccination appointment
-
North Korean-linked Gmail spyware 'SHARPEXT' harvesting sensitive email contentNews The insidious software exfiltrates all mail and attachments, researchers warn, putting sensitive documents at risk
-
Young hacker faces 20-year prison sentence for creating prolific Imminent Monitor RATNews He created the RAT when he was aged just 15 and is estimated to have netted around $400,000 from the sale of it over six years
-
European company unmasked as cyber mercenary group with ties to RussiaNews The company that's similar to NSO Group has been active since 2016 and has used different zero-days in Windows and Adobe products to infect victims with powerful, evasive spyware
-
Mysterious MacOS spyware discovered using public cloud storage as its control serverNews Researchers have warned that little is known about the 'CloudMensis' malware, including how it is distributed and who is behind it
-
Apple launching Lockdown Mode with iOS 16 to guard against Pegasus-style spywareNews Apple breaks its bug bounty record with $2 million top prize, alongside $10 million grant funding, as it launches industry-first protections for highly targeted individuals
-
El Salvador becomes latest target of Pegasus spywareNews The list of nations with access to Pegasus is growing, with evidence pointing to potential links between 35 confirmed Pegasus cases and the Salvadoran government
-
Egyptian exiles targeted with Predator spyware resembling NSO Group's PegasusNews A high-profile politician and journalist have been targeted with spyware likely spread using WhatsApp messages
