That 'anti-NSO Pegasus spyware' download is actually a Trojan – so don't touch it

Cisco Talos spots early-stage campaign targeting low-info users


A malware peddler has created a fake website posing as Amnesty International to serve gullible marks with software that claims to protect users against NSO Group's Pegasus malware. In fact it's a remote access Trojan (RAT).

Trading on fears about the Pegasus malware, this development takes the usual evolution of malware download lures (typically themed around topical news items) and picks a particularly nasty vector, preying on those looking for protection against advanced threats.

The phony Amnesty website looks very similar to the real thing, and offers users "AntiPegasus" software for download to a Windows desktop. The malware (for that's what it is) "scans" the user's machine, while in reality dropping a Trojan; the malicious app itself is superficially camouflaged to fool non-technically-adept users into thinking they've downloaded safe software.

Cisco Talos discovered the phony website and analysed the download, discovering it was the Sarwent RAT.

"Sarwent contains the usual abilities of a remote access tool – mainly serving as a backdoor on the victim machine – and can also activate the remote desktop protocol on the victim machine, potentially allowing the adversary to access the desktop directly," said Talos researchers Vitor Ventura and Arnaud Zobec.

Pegasus is an iPhone exploit suite developed by Israeli malware vendor NSO Group. At least one of the exploits abused by NSO was patched by Apple in September as it was a zero-click flaw in iMessage.

The website appears to have been caught at a very early stage, with Talos noting that its email telemetry hasn't picked it up. Neither are there search engine lures. Domains used to lure users into downloading the RAT range as far afield as Britain, the US, Russia, Vietnam, Argentina, and Slovakia.

"Cisco Talos believes with high confidence that the actor in this case is a Russian speaker located in Russia and has been running Sarwent-based attacks since at least January 2021, covering a variety of victim profiles," concluded the firm.

The infosec outfit believes Sarwent dates back to 2014 – quite old in malware terms.

The use of fake domains and Trojanised downloads to spread malware is almost as old as malware itself. Fake software activation codes is a perennial favourite, while state-backed APTs have used GDPR lures over the last four or five years with varying degrees of success.

Meanwhile, on a much larger scale, files published by WikiLeaks in 2017 appeared to show the CIA wrote code to impersonate Kaspersky Labs in order to more easily siphon off sensitive data from their targets.

Amnesty International has been asked for comment. The organisation has been vocal about NSO Group's supplying of malware and hacking tools to dodgy governments, along with tech-focused orgs such as Canada's Citizen Lab and Britain's Privacy International. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021