Threat actors are masquerading as human rights organization Amnesty International to distribute fake anti-virus tool that ostensibly provides protection against notorious NSO Group’ Pegasus spyware, but in reality, delivers a little-known Sarwent remote access tool.
Earlier this year, Amnesty International published an extensive report on the widespread use of Pegasus to target international journalists and activists.
According to Cisco Talos researchers who discovered a new malware campaign, threat actors set up a fake website that looks like Amnesty International's and points to a promised antivirus tool to protect against the NSO Group's Pegasus spyware, however, “the download actually installs the little-known Sarwent malware.”
The countries affected by the campaign include the U.K., the U.S., Russia, India, Ukraine, Czech Republic, Romania, and Colombia. Cisco Talos believes that the threat actor behind this campaign is a Russian speaker located in Russia, which has been running Sarwent-based attacks since at least January 2021 targeting victims in Colombia, India, the United States and Germany. The researchers noted that this bad actor has been using Sarwent RAT or other similar malware since 2014.
“Given the available data, we remain uncertain about the intentions of the actor. The use of Amnesty International's name, an organization whose work often puts it at odds with governments around the world, as well as the Pegasus brand, a malware that has been used to target dissidents and journalists on behalf of governments, certainly raises concerns about who exactly is being targeted and why. However our investigation has not found any other supporting data to make clear whether this is a financially motivated actor using headlines to gain new access, or a state supported actor going after targets who are rightfully concerned about the threat Pegasus presents to them,” Talos’ Vitor Ventura and Arnaud Zobec said.
The Sarwent malware contains the usual abilities of a RAT — mainly serving as a backdoor on the victim machine — and can also activate the remote desktop protocol on the victim machine, potentially allowing the attackers to access the desktop directly.
Once Sarwent is executed, it contacts the domain (medicalsystemworld[.]site) and downloads another copy of itself if it needs to update later. The malware then connects to the command and control (C2) site, which is hosted on the same domain.
Sarwent exfiltrates some information about the victim, such as the operating system version, whether anti-virus software is installed and the system architecture. After that, the threat actor can issue commands via the command line or PowerShell or access the desktop remotely via VNC or RDP.
“The level of customization present in the fake anti-virus indicates that it is likely the operator has access to the source code of the Sarwent malware, and that they are not using a typical builder service. This level of familiarity also supports our earlier finding that the actor had been using the Sarwent malware since as early as 2014. This access is especially interesting given that we were unable to find anyone selling access or builders for this malware,” the researchers noted.
“At first glance, it may seem like an actor trying to gather some easy-to-monetize information. However, there are aspects of this, such as the level of customization with the RAT, information that appears to be intentionally misleading and the low volume of targets, that indicate this may be a more advanced actor without a financial motivation,” Cisco Talos concluded.