Fake Antivirus Promised Protection from Pegasus Spyware but Was Actually a Trojan

By Ava McKinneyOnline Safety

Fake Antivirus Promised Protection from Pegasus Spyware but Was Actually a Trojan

Cybercriminals are taking advantage of the recent scandal surrounding the Pegasus spyware. Disguised as a security scanner that claims to detect traces of Pegasus on your system, hackers are spreading the Sarwent Remote Access Trojan (RAT).

To recap, in June 2021, the human rights organization Amnesty International, the nonprofit project Forbidden Stories, and more than 80 journalists from a consortium of 17 media organizations in ten countries published the results of a joint investigation called the “Pegasus Project.” At that time, experts reported large-scale abuses involving the Pegasus spyware, which was developed by the Israeli company NSO Group. According to their report, the company’s spyware has been widely used to violate human rights and to surveil politicians, activists, journalists, and human rights defenders around the world.

Experts from Cisco Talos report that attacks using Sarwent have been ongoing since the beginning of this year, targeting victims in several countries. While it’s unclear what lures were used in previous campaigns, analysts have now discovered that Sarwent is being distributed through a fake Amnesty International website and is being advertised as a security solution against Pegasus. The malware even features a graphical interface to make it look like a legitimate antivirus program.

Researchers have not yet determined exactly how hackers are attracting visitors to this fake site. However, analysis of the campaign’s domains shows that users from all over the world are accessing them, even though there are no signs of a large-scale campaign.

Fake Domains Used in the Campaign

  • amnestyinternationalantipegasus[.]com
  • amnestyvspegasus[.]com
  • antipegasusamnesty[.]com

In addition to copies of the Amnesty International website, the Sarwent operator registered the above domains. Experts are confident that a Russian-speaking attacker is behind this campaign. They also discovered a similar backend that has been in use since 2014, suggesting that either Sarwent is much older than previously thought or it was used by other hackers in the past.

Sarwent is written in Delphi, which is uncommon among modern malware. Like other RATs, it gives its operators access to infected machines. It provides direct system access by enabling RDP or through Virtual Network Computing (VNC). The malware can also use other methods, including shells and executing PowerShell commands.

Researchers are still unsure whether the Sarwent operators are motivated by financial gain or if this is a case of espionage.

Leave a Reply