fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Fake Amnesty International Pegasus Scanner Used To Infect Windows

Fake Amnesty International Pegasus Scanner Used To Infect Windows

Threat actors are trying to capitalize on the recent revelations on Pegasus spyware from Amnesty International to drop a less-known remote access tool called Sarwent.

The malware looks and acts the part of a legitimate antivirus solution specially created to scan the system for traces of Pegasus traces and to remove them.

Antivirus look with a RAT’s bite

Sarwent-based attacks have been running since at least the beginning of the year, in January, and targeted a variety of victim profiles in several countries.

The lure used in past campaigns is not clear at the moment but researchers at Cisco Talos spotted a new attack recently where Sarwent was delivered through a fake Amnesty International website advertising Anti-Pegasus AV.

Also Read: 7 Useful Tools On How To Find Company Contact Information

The threat actor made an effort to make the malware look like a legitimate antivirus by created an appropriate graphical user interface.

Sarwent RAT impersonates legit antivirus software

Choosing this disguise indicates that the actor is trying to trick users concerned about Pegasus spyware infecting their devices.

It is unclear how the actor lures visitors to the fake Amnesty International website but an analysis of the domains in this campaign “shows that the initial domains are being accessed worldwide,” although there is no indication of a large-scale campaign.

“Looking at the C2 [command and control] domains’ volume, we can see a much narrower distribution country wise, with an even lower volume,” the researchers note in a report Today.

Based on data from the administration panel of a Sarwent command and control (C2) server active during the investigation, the malware reached mostly users in the U.K.

Sarwent RAT victims

The researchers assess with high confidence that a Russian-speaking individual is responsible for the recent Sarwent attacks. They also found a similar backend being used since 2014, suggesting either that the malware is much older than initially thought or that a different actor used it before.

Sarwent is written in Delphi and it is not a frequent encounter in the wild. It features functions typically seen in a remote access tool (RAT), giving its operator access to the infected machine.

It allows direct access to the machine by activating the remote desktop protocol (RDP) or via the Virtual Network Computing (VNC) system. However, other methods exist through its shell and PowerShell execution capabilities.

Cisco Talos researchers believe that the graphical user interface disguising Sarwent into an antivirus solution indicates that the threat actor behind it has access to the malware source code.

“This level of familiarity also supports our earlier finding that the actor had been using the Sarwent malware since as early as 2014. This access is especially interesting given that we were unable to find anyone selling access or builders for this malware” – Cisco Talos

Apart from creating fake copies for the Amnesty International website, Sarwent’s operator also registered the following domains to impersonate the organization:

  • amnestyinternationalantipegasus[.]com
  • amnestyvspegasus[.]com 
  • antipegasusamnesty[.]com

Based on the evidence gathered, the researchers are unable to categorize the Sarwent threat actor. On the surface, they appear to be someone looking for easy money

Also Read: 3 Easy Ways for Hard Disk Recycling Protecting Businesses

However, some of the findings seem to suggest a more advanced adversary that does not have a financial motivation. Among the clues supporting this theory are the low number of victims and the customization level in the campaign.

Another hint refers to domain registration details (name, email addresses, postal addresses) that appear to point to the operator of the malware. Making this information available may be intentional, in an attempt to confuse investigators.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us