Be careful of the AMNESTY INTERNATIONAL antivirus that removes Pegasus: it is a malware that steals our data

Time: 07/Nov By: kenglenn 622 Views

Our servants with premiumwhiteparpentventiTeventiTiTiCanicybersecurity Nationalware and attack and adequatement of corporately culture cyber'speredoNews Analysisci we are technical analysis and HackerCondividi attacks this article this article

A malicious campaign is distributing the Sarwent remote access tool by passing it off as the Amnesty International antivirus capable of removing the dangerous pegasus spyware, but once running allows you to exfiltrate sensitive data from the infected machine.Here are the details and how to mitigate the risk

01 Ott 2021Paolo TarsitanoEditor Cybersecurity360.it

A malicious campaign is underway for the distribution of a fake antivirus released by Amnesty International which promises to remove from our devices the notorious Pegasus spyware used in recent times to spy on journalists, activists and heads of state: the trick is used to hide the malwareSarwent, a remote access tool capable of infecting Windows machines and exfilting sensitive information such as access credentials to the system or online services.

The actors of the threat have therefore found a way to capitalize the recent scandal on mass wiretapping to launch their new attack and obtain the maximum possible impact.

It is good to remember that Amnesty International has already released the official mobile tool verification toolkit (MVT) tool to help those interested in scanning their iPhone and Android devices in search of compromise tests by Pegasus: it is therefore conceivable that the attacksare directed precisely towards those users who could be concerned about being targeted by the spyware, exploiting the emotion and fear of being spied on to create confusion between the official tool and the fake antivirus.

The targeting of the malicious countryside therefore leaves the hypothesis of an involvement of an actor State Sponsored open, but obviously a simple financial motivation behind the attack cannot be excluded.

Indice degli argomenti

Amnesty International's fake antivirus

Attenti all’antivirus di Amnesty International che rimuove Pegasus: è un malware che ruba i nostri dati

According to what Cisco Talos researchers discovered, the Criminal Hackers have created a bogus website that faithfully reproduces the official one of Amnesty International (famous non-governmental organization that deals with the defense of human rights) to spread Anti-Pegasus AV, an instrumentof security that is passed off as a solution to identify and remove the espionage tool designed by the Israeli NSO Group.

WHITEPAPERFashion tech: lo scenario del post-covidCloudDatacenterScopri di piùScarica il Whitepaper

By downloading and installing the tool, the victim finds himself in front of a very well -kept graphic interface that actually recalls that of the antivirus, complete with Amnesty International logo and menu with the system scanning and cleaning tools.

Obviously, none of these tools really works but only serve to hide the Sarwent malware exfiltration activities.

In particular, by some malicious code samples isolated during the diffusion campaign, the researchers have verified that Sarwent is coded in Delphi and is equipped with features that allow you to access the infected system via VNC (Virtual Network Computing) or RDP (Remote DesktopProtocol).Once in execution, it is therefore able to carry out command line or power row instructions received from a domain controlled by the threat actor: these instructions allow you to exfiltrate data from the victim's system or to perform more harmful code.

At the moment it is not yet clear how the actors of the threat are able to attract the victims on the false Amnesty International website, probably through social engineering techniques or phishing campaigns via e-mail or on social networks.

What is certain is that the domains used for the spread of malware are accessible from all over the world, including Italy, even at the moment there is no indication on the fact that it is a large -scale campaign.

Certainly, based on the data extracted from the administration panel of a Sarwent command and control server to which Cisco Talos researchers have succeeded, the country most targeted by malware seems to be the United Kingdom, but the infection isslowly widening to the whole world.

How to mitigate the risk

In addition to creating the false copy of the Amnesty International site, the threat actor also recorded the following domains:

that it is good to add in the control rules of your safety systems which, we remember, must be kept constantly updated.

In addition, the rule is always worth not downloading or installing software from non-reliable sources and not clicking on links or opening attachments of e-mails of dubious origin.

@RIPRODUZIONE RISERVATAPersonaggiPPaolo TarsitanoArgomentiHHackerMmalwareNNSO GroupPPegasusPphishingSspywareCanaliMalware e attacchi hackerNews analysisMalware e attacchi hackerL'ANALISI

Pegasus, interceptions and status trojans: that's why no smartphone is safe

20 Lug 2021di Marco SantarelliCondividi il postCondividi Malware e attacchi hackerL'ANALISI TECNICA

Apple, corrected the zero-day forcecentry used by Pegasus to spy on the iPhones: we immediately install the patch

14 Set 2021di Paolo TarsitanoCondividi il postCondividi RansomwareL'ANALISI TECNICA