An attack group based in Russia is trying to take advantage of the recent concern around the deployment of the high-end Pegasus spyware tool by creating a fake version of the Amnesty International website that lures visitors into downloading a RAT that can steal all manner of sensitive data.
The RAT is disguised as a tool designed to protect against Pegasus, the surveillance tool sold by NSO Group that is supposed to be deployed against criminal suspects and terrorists. But research by Citizen Lab and other groups, including Amnesty International, have shown that some buyers of Pegasus have deployed the tool against journalists, human rights activists, and political dissidents in several countries. Pegasus has been well-known in the security community for several years, but the recent publication of reports on Pegasus deployments has created a much greater awareness of the tool among the general public, and threat actors are attempting to play on that awareness.
The fake Amnesty International website looks nearly identical to the authentic one and it tries to entice visitors into downloading a piece of malware called Sarwent. Researchers at Cisco Talos discovered the fake site and analyzed the malware it delivers, and found that is a lesser-known RAT that has a wide range of capabilities. The domains used in this particular operation were registered in early September.
“Sarwent contains the usual abilities of a remote access tool (RAT) — mainly serving as a backdoor on the victim machine — and can also activate the remote desktop protocol on the victim machine, potentially allowing the adversary to access the desktop directly,” the Talos analysis by Vitor Ventura and Arnaud Zobec says.
“The malicious software being deployed is not a standard information stealer that, once executed, steals credentials and exfiltrates them immediately. In this case, Sarwent has a look and feel that could easily be recognized as a regular anti-virus program. It provides the attacker with the means to upload and execute any other malicious tools. Likewise, it can exfiltrate any kind of data from the victim's computer.”
The campaign that Talos discovered does not appear to have a phishing component tied to it and the number of victims who have hit the domains hosting the website is relatively low. Talos observed Sarwent distribution in a number of countries, including the United States, UK, Russia, Brazil, Poland, and Ukraine. The attack group running the campaign has been using Sarwent since at least January in various campaigns, and possibly for much longer, Talos said.
What’s not so clear is what the end goal of this Sarwent campaign is.
“The use of Amnesty International's name, an organization whose work often puts it at odds with governments around the world, as well as the Pegasus brand, a malware that has been used to target dissidents and journalists on behalf of governments, certainly raises concerns about who exactly is being targeted and why. However our investigation has not found any other supporting data to make clear whether this is a financially motivated actor using headlines to gain new access, or a state supported actor going after targets who are rightfully concerned about the threat Pegasus presents to them,” the Talos report says.