That 'anti-NSO Pegasus spyware' download is actually a Trojan – so don't touch it

Cisco Talos spots early-stage campaign targeting low-info users


A malware peddler has created a fake website posing as Amnesty International to serve gullible marks with software that claims to protect users against NSO Group's Pegasus malware. In fact it's a remote access Trojan (RAT).

Trading on fears about the Pegasus malware, this development takes the usual evolution of malware download lures (typically themed around topical news items) and picks a particularly nasty vector, preying on those looking for protection against advanced threats.

The phony Amnesty website looks very similar to the real thing, and offers users "AntiPegasus" software for download to a Windows desktop. The malware (for that's what it is) "scans" the user's machine, while in reality dropping a Trojan; the malicious app itself is superficially camouflaged to fool non-technically-adept users into thinking they've downloaded safe software.

Cisco Talos discovered the phony website and analysed the download, discovering it was the Sarwent RAT.

"Sarwent contains the usual abilities of a remote access tool – mainly serving as a backdoor on the victim machine – and can also activate the remote desktop protocol on the victim machine, potentially allowing the adversary to access the desktop directly," said Talos researchers Vitor Ventura and Arnaud Zobec.

Pegasus is an iPhone exploit suite developed by Israeli malware vendor NSO Group. At least one of the exploits abused by NSO was patched by Apple in September as it was a zero-click flaw in iMessage.

The website appears to have been caught at a very early stage, with Talos noting that its email telemetry hasn't picked it up. Neither are there search engine lures. Domains used to lure users into downloading the RAT range as far afield as Britain, the US, Russia, Vietnam, Argentina, and Slovakia.

"Cisco Talos believes with high confidence that the actor in this case is a Russian speaker located in Russia and has been running Sarwent-based attacks since at least January 2021, covering a variety of victim profiles," concluded the firm.

The infosec outfit believes Sarwent dates back to 2014 – quite old in malware terms.

The use of fake domains and Trojanised downloads to spread malware is almost as old as malware itself. Fake software activation codes is a perennial favourite, while state-backed APTs have used GDPR lures over the last four or five years with varying degrees of success.

Meanwhile, on a much larger scale, files published by WikiLeaks in 2017 appeared to show the CIA wrote code to impersonate Kaspersky Labs in order to more easily siphon off sensitive data from their targets.

Amnesty International has been asked for comment. The organisation has been vocal about NSO Group's supplying of malware and hacking tools to dodgy governments, along with tech-focused orgs such as Canada's Citizen Lab and Britain's Privacy International. ®

Similar topics

Narrower topics


Other stories you might like

  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading
  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading

Biting the hand that feeds IT © 1998–2022