Our servants with premiumwhiteparpentventiTeventiTiTiCanicybersecurity Nationalware and attack and adequatement of corporately culture cyber'speredoNews Analysisci we are technical analysis and HackerCondividi attacks this article this article
A malicious campaign is distributing the Sarwent remote access tool by passing it off as the Amnesty International antivirus capable of removing the dangerous pegasus spyware, but once running allows you to exfiltrate sensitive data from the infected machine.Here are the details and how to mitigate the risk
01 Ott 2021Paolo TarsitanoEditor Cybersecurity360.itA malicious campaign is underway for the distribution of a fake antivirus released by Amnesty International which promises to remove from our devices the notorious Pegasus spyware used in recent times to spy on journalists, activists and heads of state: the trick is used to hide the malwareSarwent, a remote access tool capable of infecting Windows machines and exfilting sensitive information such as access credentials to the system or online services.
The actors of the threat have therefore found a way to capitalize the recent scandal on mass wiretapping to launch their new attack and obtain the maximum possible impact.
It is good to remember that Amnesty International has already released the official mobile tool verification toolkit (MVT) tool to help those interested in scanning their iPhone and Android devices in search of compromise tests by Pegasus: it is therefore conceivable that the attacksare directed precisely towards those users who could be concerned about being targeted by the spyware, exploiting the emotion and fear of being spied on to create confusion between the official tool and the fake antivirus.
The targeting of the malicious countryside therefore leaves the hypothesis of an involvement of an actor State Sponsored open, but obviously a simple financial motivation behind the attack cannot be excluded.
Indice degli argomentiAmnesty International's fake antivirus
According to what Cisco Talos researchers discovered, the Criminal Hackers have created a bogus website that faithfully reproduces the official one of Amnesty International (famous non-governmental organization that deals with the defense of human rights) to spread Anti-Pegasus AV, an instrumentof security that is passed off as a solution to identify and remove the espionage tool designed by the Israeli NSO Group.
WHITEPAPERFashion tech: lo scenario del post-covidCloudDatacenterScopri di piùScarica il WhitepaperBy downloading and installing the tool, the victim finds himself in front of a very well -kept graphic interface that actually recalls that of the antivirus, complete with Amnesty International logo and menu with the system scanning and cleaning tools.
Obviously, none of these tools really works but only serve to hide the Sarwent malware exfiltration activities.
In particular, by some malicious code samples isolated during the diffusion campaign, the researchers have verified that Sarwent is coded in Delphi and is equipped with features that allow you to access the infected system via VNC (Virtual Network Computing) or RDP (Remote DesktopProtocol).Once in execution, it is therefore able to carry out command line or power row instructions received from a domain controlled by the threat actor: these instructions allow you to exfiltrate data from the victim's system or to perform more harmful code.
At the moment it is not yet clear how the actors of the threat are able to attract the victims on the false Amnesty International website, probably through social engineering techniques or phishing campaigns via e-mail or on social networks.
What is certain is that the domains used for the spread of malware are accessible from all over the world, including Italy, even at the moment there is no indication on the fact that it is a large -scale campaign.
Certainly, based on the data extracted from the administration panel of a Sarwent command and control server to which Cisco Talos researchers have succeeded, the country most targeted by malware seems to be the United Kingdom, but the infection isslowly widening to the whole world.
How to mitigate the risk
In addition to creating the false copy of the Amnesty International site, the threat actor also recorded the following domains:
that it is good to add in the control rules of your safety systems which, we remember, must be kept constantly updated.
In addition, the rule is always worth not downloading or installing software from non-reliable sources and not clicking on links or opening attachments of e-mails of dubious origin.
@RIPRODUZIONE RISERVATAPersonaggiPPaolo TarsitanoArgomentiHHackerMmalwareNNSO GroupPPegasusPphishingSspywareCanaliMalware e attacchi hackerNews analysisMalware e attacchi hackerL'ANALISI