Amnesty International exploited in malware campaign

Threat actors are exploiting the reputation and branding of human rights organisation Amnesty International to target its victims with malware masquerading as an anti-spyware remedy.

The little-known Sarwent remote access trojan (Rat) malware is being used against people who are concerned that they may become targets of Pegasus, a supposedly legitimate spyware app developed by Israeli cyber firm NSO Group.

Pegasus has been at the centre of global controversy in recent months after extensive investigations found government customers of NSO were using it to target activists, dissidents, journalists and politicians. It has also been linked to the murder of journalist Jamal Khashoggi by the Saudi Arabian authorities.

Now, Cisco Talos researchers Vitor Ventura and Arnaud Zobec say the threat actors behind Sarwent are taking advantage of the situation in order to compromise their victims.

In this attack, targets are directed to a link to an anti-virus tool from a website masquerading as that of Amnesty International – which played a key role in the recent investigation into Pegasus – which downloads Sarwent to their devices.

The Rat serves mainly as a backdoor and also has the ability to access the remote desktop protocol (RDP) on a victim’s machine, enabling whoever is behind it to access the desktop directly, should it compromise a PC or laptop. It enables attackers to upload and execute additional malicious tools, and can also exfiltrate data.

“We believe this campaign has the potential to infect many users given the recent spotlight on the Pegasus spyware,” said Ventura and Zobec in a disclosure blog.

“In addition to Amnesty International’s report, Apple also had to recently release a security update for iOS that patched a vulnerability that attackers were exploiting to install Pegasus. Many users may be searching for protection against this threat at this time.”

Ventura and Zobec believe the campaign itself to be originating from Russia with a high degree of confidence, but analysis of the domains involved appears to suggest the campaign is not widespread, so there is a certain measure of doubt over the motivation behind it.

“The campaign targets people who might be concerned that they are targeted by the Pegasus spyware,” they said. “This targeting raises issues of possible state involvement, but there is insufficient information available to Talos to make any determination on which state or nation. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access.”

Regardless of which group is behind this campaign, it is clearly successfully leveraging current events as a lure – a common tactic, as the Covid-19 pandemic has demonstrated. Security teams and administrators are best advised to try to keep abreast of the news cycle in order to warn users about such lures.

“Pegasus continues to intrude on people’s lives and attack devices in what seems like an endless game of cat and mouse,” said ESET’s Jake Moore.

“Targeting people’s fear in the spyware is a tactic used by threat actors in going after those most at risk – but in fact, it is cleverly homing in on their prey. 

“It can often be very difficult to spot whether or not a webpage is real quickly, but people must always remain on guard and carry out due diligence before it is too late. People should always be cautious of any software and carry out research where possible. It is also important to avoid downloading and installing software from unknown sources online.”

Stay connected with us on social media platform for instant update click here to join our  Twitter, & Facebook

We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechiLive.in is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.