GDI Exclusive Study Paper: Amnesty International Anti-Pegasus Software: A Malware Trap
Have you ever thought that you have a spying device with open access to the microphone and camera in your pocket? Doesn’t it bother you who is following you behind your computer screen? Does anyone have the right to know your secrets? These are the gripping questions laid out by Amnesty International, a human rights-focused non-governmental organization, before offering end-users to download its antivirus for protection against the NSO group’s Pegasus. This synopsis presents the simple notion of a human rights organization trying to protect people’s privacy around the globe. The catch, however, lies in the fact that this campaign is being run by a fake website with a look identical to Amnesty International’s legitimate online portal.
In July 2021, a report by Amnesty International revealed widespread abuse of the Israeli firm NSO Group’s Pegasus spyware to facilitate human rights violations by surveilling heads of state, activists, journalists, and lawyers around the world. This episode induced a wave of concern regarding digital safe being and even led to Amnesty International releasing a Mobile Verification Toolkit (MVT) to help individuals scan their devices for evidence of compromise. The idea, that people’s increased concern regarding Pegasus spyware and the event of Amnesty International releasing its MVT would mislead individuals into thinking that this fake Anti-Pegasus tool is a step of the authorized Amnesty International, is what motivated the hacker group to design a rogue website by using social engineering tricks. The modus operandi aims to trick the visitors of this website into downloading the ‘Amnesty Anti-Pegasus Software’. The download, in actuality, leads to the installation of a strain of malware known as ‘Sarwent’ on your computer.
Mechanism of Sarwent Malware
The Sarwent Malware started getting recognition in 2018 as a basic malware which only served as a first-stage payload possessing the ability to install and download other malware on compromised computers. However, over the years, experts have spotted modifications in Sarwent. Now, it can perform functions as complex as finding a remote way into the compromised machine and exfiltrating sensitive information, such as login credentials. In this campaign, a highly customized variant of Sarwent coded in Delphi language was used. It allows remote desktop access through VNC or RDP and executes command line or PowerShell instructions received from an attacker-controlled domain, the results of which are sent back to the server.
Financially Motivated Actor or State Involvement?
It is worth noting that only high ranking individuals were targeted in the Pegasus spyware episode, which leads to the belief that high ranking individuals would be the most interested in downloading the Anti-Pegasus software. Thus, it would be safe to say that the targeting this campaign executed might have state involvement. However, due to the unavailability of sufficient information, the possibility of a financially motivated actor looking to leverage headlines to gain new access cannot be thrown out entirely as well. The United Kingdom, the United States, Russia, India, Ukraine, Czech Republic, Romania, and Colombia are among the countries most affected by the campaign. Data from these countries might enable experts to determine whether this malware campaign is state-sponsored cyber warfare or the action of a financially motivated actor.
As states and individuals continue their grind towards a digitized world, criminal events in the cyber realm would only increase. Hacking groups would keep on capitalizing on these events and improvising their attack campaigns for maximum impact. The law enforcement agencies and cyber watchdogs cannot possibly bring the offence rate to zero. Thus, it is upon end-users to steer away from cyber offences to the best of their ability. There is no doubt in the fact that hackers put in much effort in replicating the official website of Amnesty International, but the giveaway is that the original website has a white background. In contrast, the fake one has a transparent background. This should serve as an example of how deep analysis is crucial to the safe being of individual and collective entities in this digital world.
Fatima Zainab studies Strategic and Nuclear Studies at National Defence University, Islamabad. She is an IBM Certified Cybersecurity Analyst. Her areas of interest cover Cyber Warfare, Contemporary Security Studies, and International Politics.