An unexplored Sarwent Trojan is being distributed by a threat organization via a bogus Amnesty International website that claims to protect customers from the Pegasus smartphone spyware.
The operation is intended towards those who feel they have been attacked by the NSO Group's Pegasus spyware and thus are tied to nation-state action, according to Cisco Talos security analysts, but Talos is yet to identify the exact threat actor.
Pegasus is a piece of spyware created by the Israeli cyber arms firm NSO Group which can be loaded secretly on smartphones (and other devices) running most versions of iOS and Android. According to the disclosures from Project Pegasus 2021, the existing Pegasus program can attack all recent iOS versions up to iOS 14.6. Pegasus could intercept text messages, track calls, gather passwords, monitor position, access the target device's camera and microphone, and collect data from apps as of 2016.
Despite the claims regarding authorized utilization, Pegasus - a contentious surveillance software technology has been allegedly used by tyrannical governments in operations targeting journalists, human rights activists, as well as other opponents of the state.
Soon after the release of a comprehensive Amnesty International report on Pegasus in July of this year, as well as Apple's dissemination of updates for the ForcedEntry zero-day exploit, several users started exploring ways of protecting themselves from the spyware that was exploited by adversaries.
On a bogus website that I identical to Amnesty International, the malicious actors claim to be delivering "Amnesty Anti Pegasus," an anti-virus tool that can allegedly guard against NSO Group's malware.
Alternatively, customers are given the Sarwent remote access tool (RAT), which allows attackers to easily upload and run payloads on compromised PCs, as well as extract relevant and sensitive data.
Despite its low intensity, the attack has struck individuals in the United States, the United Kingdom, Colombia, the Czech Republic, India, Romania, Russia, and Ukraine, as per Cisco Talos.
“Given the current information, we are unsure of the actor’s objectives. The use of Amnesty International’s name, a group whose work frequently puts it at odds with governments around the world, as well as the Pegasus brand, malware that has been used to target dissidents and journalists on behalf of governments, raises questions about who is being targeted and why,” according to Cisco Talo.
The campaign's adversary seems to be a Russian speaker who has been using Sarwent to target patients from different walks of life all across the globe since at least January 2021. The malicious actors have been using the Trojan and one with a comparable backdoor since 2014, according to security experts.