Fears surrounding Pegasus spyware prompt new Trojan campaign

Criminals hope that the lure of a promise to protect you from spyware will make you click that link.

A recent investigation into how Pegasus spyware is being used to monitor civil rights agencies, journalists, and government figures worldwide is being abused in a new wave of cyberattacks. 

Pegasus is a surveillance system offered by the NSO Group. While advertised as software for fighting crime and terrorism, a probe into the spyware led to allegations that it is being used against innocents, including human rights activists, political activists, lawyers, journalists, and politicians worldwide. 

Israel-based NSO Group denied the findings of the investigation, conducted by Amnesty International, Forbidden Stories, and numerous media outlets. 

Apple has since patched a zero-day vulnerability utilized by Pegasus, a discovery made together with Citizen Lab. 

Now, cybercriminals unconnected to Pegasus are attempting to capitalize on the damning report by promising individuals a way to 'protect' themselves against such surveillance -- but are secretly deploying their own brands of malware, instead.  

On Thursday, researchers from Cisco Talos said that threat actors are masquerading as Amnesty International and have set up a fake domain designed to impersonate the organization's legitimate website. 

This points to an 'antivirus' tool, "AVPegasus," that promises to protect PCs from the spyware. 

screenshot-2021-09-30-at-10-30-47.png

Cisco Talos

However, according to Talos researchers Vitor Ventura and Arnaud Zobec, the software contains the Sarwent Remote Access Trojan (RAT).

The domains associated with the campaign are amnestyinternationalantipegasus[.]com, amnestyvspegasus[.]com, and antipegasusamnesty[.]com.

Written in Delphi, Sarwent installs a backdoor onto machines when executed and is also able to leverage a remote desktop protocol (RDP) to connect to an attacker-controlled command-and-control (C2) server. 

The malware will attempt to exfiltrate credentials and is also able to download and execute further malicious payloads. 

The UK, US, Russia, India, Ukraine, the Czech Republic, Romania, and Colombia are the most targeted countries to date. Talos believes the cyberattacker behind this campaign is a Russian speaker who has operated other Sarwent-based attacks over 2021. 

"The campaign targets people who might be concerned that they are targeted by the Pegasus spyware," Talos says. "This targeting raises issues of possible state involvement, but there is insufficient information available to Talos to make any determination there. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0