A new version of Sarwent malware can open Remote Desktop Protocol ports, giving hackers hands-on access to victims’ computer
When a computer is infected with malware, some people liken it to a person being infected with a virus. Sometimes viruses are known to adapt to environmental factors and mutate. Much like a living virus, according to cyber-security researchers, there is a version of Sarwent malware that has the ability to open Remote Desktop Protocol or RDP ports on infected computers giving hackers hands-on access and remote control of infected computers.
Researchers from SentinelOne, who have identified this version of Sarwent, believe the hackers behind this infection are likely preparing to sell access to these computers on the dark web, which is a common method of monetizing RDP-capable hosts.
The Evolution of Sarwent Malware
Sarwent malware is a lesser-known backdoor trojan that has been around since 2018. The previous versions of the infection had limited functionality, which included the ability to download and install other malware on compromised systems.
But in a campaign spotted in May of 2020, SentinelOne malware analyst Jason Reaves says Sarwent seems to have received two critical updates. The first gives Sarwent the ability to execute custom CLI commands via the Windows Command Prompt and PowerShell utilities.
In addition to this update, Sarwent can register a new Windows user account on each infected host. After the user account is registered, it enables the RDP service and finally modifies the Windows firewall to allow external RDP access to the infected host.
With the Windows firewall being modified, it is easier for attackers to invade, control and exploit the infected device externally. The hacker’s ability to control the infected host remains as long as the RPD stays open. The hacker’s remote access can also continue if there isn’t a firewall protecting the computer.
RDP Becomes a Hot Commodity
Simply removing the malware from the infected computer does not automatically close the RDP “hole.” Users, administrators or paid “cleaners” also have to go through the extra step of removing the new Windows user account set up by the malware and manually close the RDP access port in the firewall.
Obtaining access to Windows machines via the Remote Desktop Protocol is becoming a preferred tactic of hackers and ransomware gangs. However, they usually scan for computers that already have RDP enabled, and then they’ll try brute-force tactics to crack the passwords that safeguard access through it.
With the effects of COVID-19 across the globe, many more people are working from home. As a result of this, RDP use has soared and this makes Sarwent a potentially lucrative malware.