Malware Spread Through Fake Amnesty International Site

Published · Oct 06, 2021

Scammers have created a fake Amnesty International website, offering a download that supposedly protects against the NSO Group’s Pegasus spyware. In reality, it’s a remote access trojan (RAT) that gives threat actors access to the devices of those who download it.

In early 2021, roughly 50,000 phone numbers were targeted by Pegasus spyware, created by Israel-based NSO Technologies Group. NSO licenses the software to governments for the purposes of law enforcement procedures, such as background checks.

However, journalists, activists, business people, and politicians were all targeted in the aforementioned case. While spyware normally relies on some sort of phishing scam, Pegasus can be installed through zero-click attacks.

It requires no more than a text message sent to the target device.

Preying on Fear

The revelation around Pegasus caused panic among many.

Amnesty International heavily criticized NSO for licensing Pegasus to governments with records of human rights abuse. Amnesty International investigated the program, along with some other organizations.

The public’s fear of the spyware combined with Amnesty International’s opposition made a ripe target for malware vendors. The Register notes that the trojan site imitates Amnesty International's real site closely. Luckily, Cisco Talos caught the scam early.

The intelligence group discovered the site and analyzed the download to discover that it’s a RAT. The firm’s telemetry didn’t pick it up.

Additionally, the site didn’t contain any “search engine lures,” typically used to attract people to the fake site. The scammers were only beginning the operation, it appears.

Wrapping up its report, the company concluded "Cisco Talos believes with high confidence that the actor in this case is a Russian speaker located in Russia and has been running Sarwent-based attacks since at least January 2021, covering a variety of victim profiles.”

Operations like this are increasingly common and not limited to criminal operations. The Register points out that the CIA once wrote code to imitate cyber security firm Kaspersky to siphon data.

As cyber anxieties increase, so too will attempts to exploit them, which will only cause more stress. Cyber security firm caught this early, thankfully, but there are certainly more out there.

Garan van Rensburg
Garan van Rensburg

Garan is a writer interested in how tech reshapes the environment, and how the environment reshapes tech. You'll usually find him inoculating against future shock and arguing with bots.