Malware opens up RDP for future access

Security experts believe the malware’s operators are very likely to sell access to infected hosts to other hacker groups.

Security researchers say they’ve spotted a new version of the Sarwent malware that opens RDP (Remote Desktop Protocol) ports on infected computers so hackers could gain hands-on access to infected hosts.

Researchers from SentinelOne, who spotted this new version, believe the Sarwent operators are most likely preparing to sell access to these systems on the cybercrime underworld, a common method of monetizing RDP-capable hosts.

The Sarwent malware

The Sarwent malware is a lesser-known backdoor trojan that has been around since 2018. In its previous versions, the malware contained a limited set of functionality, such as having the ability to download and install other malware on compromised computers.

The first is the ability to execute custom CLI commands via the Windows Command Prompt and PowerShell utilities.

But while this new feature is pretty intrusive on its own, the researcher says Sarwent also received another new feature with this most recent update

Reaves says Sarwent now registers a new Windows user account on each infected host, enables the RDP service, and then modifies the Windows firewall to allow for external RDP access to the infected host.

This means that Sarwent operators can use the new Windows user they created to access an infected host without being blocked by the local firewall.

Because of the current distribution scheme, cleaning up a Sarwent infection is “a bit more complicated,”.

This includes removing Sarwent, the original malware that installed it, removing the new Windows user, and then closing the RDP access port in the Windows firewall.

RDP access for what?

Currently, it still remains a mystery what Sarwent is doing with the RDP access it is gaining on all infected hosts.

Several theories exist. The Sarwent gang could use the RDP access themselves (to steal proprietary data or install ransomware), they could rent the RDP access to other cybercrime or ransomware gangs, or they could be listing the RDP endpoints on so-called “RDP shops,”

Indicators of compromise (IOCs) for the new Sarwent malware version are included Security teams can use these IOCs to hunt for Sarwent infections on their computer fleets.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s