A malware peddler has created a fake website posing as Amnesty International to serve gullible marks with software that claims to protect users against NSO Group’s Pegasus malware. In fact it’s a remote access Trojan (RAT).
Trading on fears about the Pegasus malware, this development takes the usual evolution of malware download lures (typically themed around topical news items) and picks a particularly nasty vector, preying on those looking for protection against advanced threats.
The phony Amnesty website looks very similar to the real thing, and offers users “AntiPegasus” software for download to a Windows desktop. The malware (for that’s what it is) “scans” the user’s machine, while in reality dropping a Trojan; the malicious app itself is superficially camouflaged to fool non-technically-adept users into thinking they’ve downloaded safe software.
Cisco Talos discovered the phony website and analysed the download, discovering it was the Sarwent RAT.
“Sarwent contains the usual abilities of a remote access tool – mainly serving as a backdoor on the victim machine – and can also activate the remote desktop protocol on the victim machine, potentially allowing the adversary to access the desktop directly,” said Talos researchers Vitor Ventura and Arnaud Zobec.
Pegasus is an iPhone exploit suite developed by Israeli malware vendor NSO Group. At least one of the exploits abused by NSO was patched by Apple in September as it was a zero-click flaw in iMessage.
The website appears to have been caught at a very early stage, with Talos noting that its email telemetry hasn’t picked it up. Neither are there search engine lures. Domains used to lure users into downloading the RAT range as far afield as Britain, the US, Russia, Vietnam, Argentina, and Slovakia.
- Ransomware crim: Yeah, what I do is bad. No, I don’t care. Yes, infosec bods are all mouth and no trousers
- Attacks against Remote Desktop Protocol endpoints have exploded this year, warns ESET’s latest Threat Report
- Don’t look a GriftHorse in the mouth: Trojan trampled 10 million Android devices
- Kaspersky links new Tomiris malware to Nobelium group
“Cisco Talos believes with high confidence that the actor in this case is a Russian speaker located in Russia and has been running Sarwent-based attacks since at least January 2021, covering a variety of victim profiles,” concluded the firm.
The infosec outfit believes Sarwent dates back to 2014 – quite old in malware terms.
The use of fake domains and Trojanised downloads to spread malware is almost as old as malware itself. Fake software activation codes is a perennial favourite, while state-backed APTs have used GDPR lures over the last four or five years with varying degrees of success.
Meanwhile, on a much larger scale, files published by WikiLeaks in 2017 appeared to show the CIA wrote code to impersonate Kaspersky Labs in order to more easily siphon off sensitive data from their targets.
Amnesty International has been asked for comment. The organisation has been vocal about NSO Group’s supplying of malware and hacking tools to dodgy governments, along with tech-focused orgs such as Canada’s Citizen Lab and Britain’s Privacy International. ®
Note: This article have been indexed to our site. We do not claim legitimacy, ownership or copyright of any of the content above. To see the article at original source Click Here
Apple AirPods Pro (2nd Generation) Wireless Ear Buds with USB-C Charging, Up to 2X More Active Noise Cancelling…
$189.99 (as of June 28, 2024 21:10 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Amazon Echo Dot (5th Gen, 2022 release) | With bigger vibrant sound, helpful routines and Alexa | Charcoal
$27.99 (as of June 28, 2024 21:10 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Bicycle Rider Back Playing Cards, Standard Index, Poker Cards, Premium Playing Cards, Red & Blue, 2 Count (Pack of 1)
$4.89 (as of June 28, 2024 21:10 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
2024 P, D Kennedy Half Dollar 2 Coin Set Uncirculated
$9.99 (as of June 28, 2024 21:10 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
/cdn.vox-cdn.com/uploads/chorus_asset/file/25368150/2021265321.jpg)
