Security researchers from SentinelOne say they’ve spotted a new version of the Sarwent malware that opens RDP (Remote Desktop Protocol) ports on infected computers so hackers could gain hands-on access to infected hosts.
Researchers from SentinelOne, who spotted this new version, believe the Sarwent operators are most likely preparing to sell access to these systems on the cybercrime underworld, a common method of monetizing RDP-capable hosts.
WHAT IS THE SARWENT MALWARE
The Sarwent malware is a lesser-known backdoor trojan that has been around since 2018. In its previous versions, the malware contained a limited set of functionality, such as having the ability to download and install other malware on compromised computers.
But in a recent campaign spotted over the past weeks, SentinelOne malware analyst Jason Reaves says Sarwent received two critical updates.
The first is the ability to execute custom CLI commands via the Windows Command Prompt and PowerShell utilities.
But while this new feature is pretty intrusive on its own, the researcher says Sarwent also received another new feature with this most recent update.
Reaves says Sarwent now registers a new Windows user account on each infected host, enables the RDP service, and then modifies the Windows firewall to allow for external RDP access to the infected host.
WHAT DOES THIS MEAN
This means that Sarwent operators can use the new Windows user they created to access an infected host without being blocked by the local firewall.
Currently, it still remains a mystery what Sarwent is doing with the RDP access it is gaining on all infected hosts.
“Normally, development of malware in the crimeware domain is determined by the desire to monetize something, or by customer demand for functionality,” Reaves told ZDNet.
Several theories exist.
The Sarwent gang could use the RDP access themselves (to steal proprietary data or install ransomware), they could rent the RDP access to other cybercrime or ransomware gangs, or they could be listing the RDP endpoints on so-called “RDP shops”.
Indicators of compromise (IOCs) for the new Sarwent malware version are included in SentinelOne’s Sarwent report. Security teams can use these IOCs to hunt for Sarwent infections on their computer fleets.