Security researchers from SentinelOne has spotted a new version of the Sarwent Malware that is intelligently designed to open RDP (Remote Desktop Protocol) ports on infected computer. This procedure would give hackers hands on access to infected hosts.
They have reason to believe that the new version is being prepped by Sarwent operators for selling. Access to compromised systems in the cybercrime underworld is one of the ways they monetize breached systems.
The Sarwent malware has been around since 2018 as a backdoor Trojan with a limited set of functionality being able to download and install other malware on the compromised computer system.
However, in recent line of events, SentinelOne malware analyst Jason Reaves says Sarwent received two critical updates.
The first update contains the ability to execute custom CLI commands via the Windows Command Prompt and PowerShell utilities. Having this capability is devastating enough. On top of that, the second update contains code tjat registers a new Windows user account on each infected host, enables the RDP service, and then modifies the Windows firewall to allow for external RDP access to the infected host.
This second update gives the Sarwent operators unrestricted access by using the new Windows user account without being blocked by local firewall.
For the time being, it has been said that the distribution of the new version is still limited and is still at its initial stages.
“I’ve only seen this new version downloaded as a secondary infection to other malware — as an example Predator the Thief,” as per Reaves.
With this new tactic and distribution scheme, cleaning up a Sarwent infection becomes more complicated.
It has become a multi-tiered approach. First is to remove the original malware that installed it, remove the new user that the malware has created, and finally closing the RDP acess port in the Windows firewall that it had allowed.
As of this writing, there is no clear cut indication what, where, and when this RDP access is being utilized on the infected hosts.
Although it is a given that it has to be in some form of monetization on their part.
Several theories exist. The Sarwent gang could use the RDP access themselves (to steal proprietary data or install ransomware), they could rent the RDP access to other cybercrime or ransomware gangs, or they could be listing the RDP endpoints on so-called “RDP shops,” like the one listed below.