December 11, 2023

Security experts believe the malware’s operators are very likely to sell access to infected hosts to other hacker groups.

Security researchers say they’ve spotted a new version of the Sarwent malware that opens RDP (Remote Desktop Protocol) ports on infected computers so hackers could gain hands-on access to infected hosts.

Researchers from SentinelOne, who spotted this new version, believe the Sarwent operators are most likely preparing to sell access to these systems on the cybercrime underworld, a common method of monetizing RDP-capable hosts.

The Sarwent malware

The Sarwent malware is a lesser-known backdoor trojan that has been around since 2018. In its previous versions, the malware contained a limited set of functionality, such as having the ability to download and install other malware on compromised computers.

The first is the ability to execute custom CLI commands via the Windows Command Prompt and PowerShell utilities.

But while this new feature is pretty intrusive on its own, the researcher says Sarwent also received another new feature with this most recent update

Reaves says Sarwent now registers a new Windows user account on each infected host, enables the RDP service, and then modifies the Windows firewall to allow for external RDP access to the infected host.

This means that Sarwent operators can use the new Windows user they created to access an infected host without being blocked by the local firewall.

Because of the current distribution scheme, cleaning up a Sarwent infection is “a bit more complicated,”.

This includes removing Sarwent, the original malware that installed it, removing the new Windows user, and then closing the RDP access port in the Windows firewall.

RDP access for what?

Currently, it still remains a mystery what Sarwent is doing with the RDP access it is gaining on all infected hosts.

Several theories exist. The Sarwent gang could use the RDP access themselves (to steal proprietary data or install ransomware), they could rent the RDP access to other cybercrime or ransomware gangs, or they could be listing the RDP endpoints on so-called “RDP shops,”

Indicators of compromise (IOCs) for the new Sarwent malware version are included Security teams can use these IOCs to hunt for Sarwent infections on their computer fleets.

Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

TheCyberThrone Security Week In Review – December 2nd & 10th, 2023

December 10, 2023

5Ghoul Vulnerabilities affects 5G devices

December 10, 2023

Microsoft EDGE Browser Critical Sandbox Escape Vulnerability – CVE-2023-35618

December 9, 2023

WordPress POP CMS Vulnerability

December 9, 2023

Apache Struts fixes Critical Vulnerability – CVE-2023-50164

December 8, 2023

Meta enables Messenger with E2EE by Default

December 8, 2023 2
%d