A threat group is delivering the little-known Sarwent Trojan through a phoney Amnesty International website that purports to safeguard users from the Pegasus mobile spyware.
According to Cisco Talos security analysts, the attack is aimed at those who believe they were targeted by the NSO Group’s Pegasus spyware and are linked to nation-state action, but Talos has yet to identify a specific threat actor.
Pegasus is a controversial surveillance software tool that has been reportedly utilised by oppressive governments in campaigns targeting journalists, human rights activists, and other individuals who oppose the regime, despite claims of lawful use.
Following the publication of a detailed Amnesty International report on Pegasus in July of this year, and Apple’s distribution of patches for the ForcedEntry zero-day exploit, many individuals began looking for ways to shield themselves from the spyware, which enemies took advantage of.
The threat actor claims to be offering “Amnesty Anti Pegasus,” an anti-virus application that can reportedly protect against NSO Group’s malware, on a phoney website that looks similar to that of Amnesty International.
Instead, users are provided the Sarwent remote access tool (RAT), which lets attackers to simply upload and execute payloads on infected PCs, as well as exfiltrate any data deemed valuable.
According to the Cisco Talos assessment, despite its low volume, the campaign has claimed victims in the United States, the United Kingdom, Colombia, the Czech Republic, India, Romania, Russia, and Ukraine.
The campaign’s antagonist appears to be a Russian speaker who has been utilising Sarwent since at least January 2021, attacking people from various walks of life all around the world. According to the security experts, the threat actor has been using the Trojan or one with a similar backdoor since 2014.
“Given the current information, we are unsure of the actor’s objectives. The use of Amnesty International’s name, a group whose work frequently puts it at odds with governments around the world, as well as the Pegasus brand, malware that has been used to target dissidents and journalists on behalf of governments, raises questions about who is being targeted and why, according to Cisco Talos.