Fears surrounding Pegasus spyware lead to new Trojan campaign
A recent investigation into how Pegasus spyware is used to monitor civil rights agencies, journalists and government figures around the world is being abused in a new wave of cyber attacks.
Pegasus is a surveillance system offered by the NSO group. Although advertised as anti-crime and terrorism software, an investigation into the spyware has led to allegations that it is being used against innocent people, including human rights activists, political activists, lawyers, etc. journalists and politicians around the world.
The Israeli group NSO has denied the findings of the investigation carried out by Amnesty International, Forbidden Stories and numerous media.
Apple has since patched a zero-day vulnerability used by Pegasus, a discovery made with Citizen Lab.
Now cybercriminals not connected to Pegasus are trying to capitalize on the damning report by promising individuals a way to “protect themselves” from such surveillance – but are secretly deploying their own brands of malware.
Thursday, researchers from Cisco Talos said that the threat actors pose as Amnesty International and have set up a fake domain designed to impersonate the organization’s legitimate website.
This points to an “antivirus” tool, “AVPegasus”, which promises to protect PCs against spyware.
However, according to Talos researchers Vitor Ventura and Arnaud Zobec, the software contains the Sarwent Remote Access (RAT) Trojan.
The domains associated with the campaign are amnestyinternationalantipegasus[.]com, amnestyvspegasus[.]com, and antipegasusamnesty[.]com.
Written in Delphi, Sarwent installs a backdoor on machines when executed and is also able to take advantage of a Remote Desktop Protocol (RDP) to connect to a controlled Command and Control (C2) server. by an attacker.
The malware will attempt to exfiltrate credentials and is also capable of downloading and executing other malicious payloads.
The UK, US, Russia, India, Ukraine, Czech Republic, Romania and Colombia are the most targeted countries to date. Talos believes the cyber attacker behind this campaign is a Russian speaker who carried out further Sarwent-based attacks in 2021.
“The campaign targets people who might fear being targeted by Pegasus spyware,” Talos said. “This targeting raises issues of possible state involvement, but Talos does not have sufficient information to make a decision. It is possible that it is simply a financially motivated actor seeking to leverage headlines to get new access. ”
Prior and related coverage
Do you have any advice? Contact us securely via WhatsApp | Call +447 713 025 499, or Keybase: charlie0