IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Malware pretending to be Amnesty International antivirus for Pegasus discovered

Victims fearing Pegasus spyware targeted in a new malware campaign

Amnesty International website

Hackers are pretending to be human rights organization Amnesty International to target users with a fake anti-spyware product in a new malware campaign.

Victims were duped into downloading malware they thought was protection against NSO Group’s Pegasus spyware, according to security researchers at Cisco Talos.

Amnesty International recently published a report on the widespread use of Pegasus to target international journalists and activists. Hackers capitalized on this by setting up a fake website that looked like Amnesty International's and linked to an antivirus tool to protect against Pegasus. However, the download installs the little-known Sarwent malware.

Cisco Talos researchers Vitor Ventura and Arnaud Zobec said that Salwent, a remote access tool (RAT), opens a backdoor on the victim machine. It can also activate the remote desktop protocol on the victim machine, potentially allowing the adversary to access the desktop directly.

“We believe this campaign has the potential to infect many users given the recent spotlight on the Pegasus spyware. In addition to Amnesty International's report, Apple recently released a security update for iOS that patched a vulnerability attackers were exploiting to install Pegasus. Many users may be searching for protection against this threat at this time,” the researchers said.

Researchers were highly confident the hackers behind the campaign are Russian and have been running Sarwent-based attacks on a variety of victims since January 2021. They also said they were uncertain about the actor’s intentions.

Related Resource

Eight steps to fight ransomware

Insights into how you can protect yourself from this ever increasing threat

Whitepaper front coverFree Download

“The use of Amnesty International's name, an organization whose work often puts it at odds with governments around the world, as well as the Pegasus brand, a malware that has been used to target dissidents and journalists on behalf of governments, certainly raises concerns about who exactly is being targeted and why,” said researchers.

Investigations failed to find supporting data to make clear whether this is a financially motivated actor using headlines to gain new access, or a state-supported actor going after targets who are rightfully concerned about the threat Pegasus presents to them.

Researchers concluded that while it may seem like an actor trying to gather some easy-to-monetize information, some aspects, such as the level of customization with the RAT, intentionally misleading information, and the low volume of targets, indicate this may be a more advanced actor without financial motivation.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
RATDispenser evades nine in ten anti-virus engines
Security

RATDispenser evades nine in ten anti-virus engines

24 Nov 2021
US government warns of increased risk of ransomware over holiday season
ransomware

US government warns of increased risk of ransomware over holiday season

24 Nov 2021
Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem
automation

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022