Malware Sarwent Opens Rdp Ports On Infected Machines

✨ Megiddo

✨ President ✨
Staff member
Joined
May 15, 2016
Messages
13,126
Likes
2,643
Points
1,730
SentinelOne experts noticed that the new version of the malware Sarwent opens the RDP ports on infected computers. Researchers believe that this is due to the fact that Malvari operators can sell access to infected hosts to other criminal groups.

Sarwent is a not-so-famous backdoor trojan, active since 2018. Previous versions of Malvari had a very limited set of functions, for example, they could download and install other malware on compromised computers. However, the more recent Sarwent variation has received two important updates.

First, the Malware “learned” to execute custom CLI commands using Windows Command Prompt and PowerShell. Secondly, Sarwent now creates a new Windows user account on infected machines, enables the RDP service, and then makes changes to the Windows Firewall settings to allow external access through RDP to the infected host. In fact, this means that Sarwent operators can use the created account to access the infected host and will not be blocked by the local firewall.

rdp-punch-hole.jpg


Researchers note that so far the new version of Sarwent has been detected only as a secondary infection when computers were infected with another malware, for example, Predator the Thief.

It is not yet clear what Sarwent operators do with RDP access on infected hosts. As a rule, this evolution of the malware indicates the desire of hackers to monetize the malware with new methods, or the new functionality can be determined by the needs of the clients of the attackers.

That is, the group standing by Sarwent can independently use RDP access (for example, to steal proprietary data or deploy ransomware), or hackers can rent RDP access to infected hosts by other criminals. There is also a possibility that RDP endpoints are put up for sale on special trading platforms where they trade access to hacked networks and machines (an example can be seen below).

rm-rdp-shop.png


© https://xakep.ru/2020/05/26/sarwent-rdp/
 
Top Bottom