Windows malware opens RDP ports on PCs for future remote access

RDP - Remote Desktop Protocol
Image: ZDNet // Catalin Cimpanu

Security researchers say they’ve spotted a new version of the Sarwent malware that opens RDP (Remote Desktop Protocol) ports on infected computers so hackers could gain hands-on access to infected hosts.

Researchers from SentinelOne, who spotted this new version, believe the Sarwent operators are most likely preparing to sell access to these systems on the cybercrime underworld, a common method of monetizing RDP-capable hosts.

The Sarwent malware

The Sarwent malware is a lesser-known backdoor trojan that has been around since 2018. In its previous versions, the malware contained a limited set of functionality, such as having the ability to download and install other malware on compromised computers.

But in a recent campaign spotted over the past weeks, SentinelOne malware analyst Jason Reaves says Sarwent received two critical updates.

The first is the ability to execute custom CLI commands via the Windows Command Prompt and PowerShell utilities.

But while this new feature is pretty intrusive on its own, the researcher says Sarwent also received another new feature with this most recent update.

Reaves says Sarwent now registers a new Windows user account on each infected host, enables the RDP service, and then modifies the Windows firewall to allow for external RDP access to the infected host.



Image: SentinelOne, highlights by ZDNet

This means that Sarwent operators can use the new Windows user they created to access an infected host without being blocked by the local firewall.

In an interview today, Reaves told ZDNet that the distribution of this new Sarwent version is limited, for the time being.

“I’ve only seen this new version downloaded as a secondary infection to other malware — as an example Predator the Thief,” Reaves told ZDNet.

Because of the current distribution scheme, cleaning up a Sarwent infection is “a bit more complicated,” the researcher added.

This includes removing Sarwent, the original malware that installed it, removing the new Windows user, and then closing the RDP access port in the Windows firewall.

RDP access for what?

Currently, it still remains a mystery what Sarwent is doing with the RDP access it is gaining on all infected hosts.

“Normally, development of malware in the crimeware domain is determined by the desire to monetize something, or by customer demand for functionality,” Reaves told ZDNet.

Several theories exist. The Sarwent gang could use the RDP access themselves (to steal proprietary data or install ransomware), they could rent the RDP access to other cybercrime or ransomware gangs, or they could be listing the RDP endpoints on so-called “RDP shops,” like the one listed below.



Image: ZDNet

Indicators of compromise (IOCs) for the new Sarwent malware version are included in SentinelOne’s Sarwent report. Security teams can use these IOCs to hunt for Sarwent infections on their computer fleets.

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

previous arrow
next arrow

Automated trading with HaasBot Crypto Trading Bots

Blockchain/Cryptocurrency Questions and Answers

Crypto Regulation Index
Crypto Regulation Index for 2022
October 3, 2022
What Is ZetaChain And How Does It Operate?
What Is ZetaChain And How Does It Operate?
September 27, 2022
What is Terra Classic (LUNC)? How Does it Work?
September 26, 2022
What Is A Public Presale In Crypto?
What Is A Public Presale In Crypto?
September 22, 2022
How Many Cryptocurrencies and NFT Collections are there in 2022?
September 21, 2022

CryptoCurrencyUSDChange 1hChange 24hChange 7d

Bitcoin (BTC) $ 19,535.80
Ethereum (ETH) $ 1,321.76
Tether (USDT) $ 1.00
USD Coin (USDC) $ 1.00
BNB (BNB) $ 286.85
XRP (XRP) $ 0.455303
Binance USD (BUSD) $ 1.00
Cardano (ADA) $ 0.426739
Solana (SOL) $ 32.93
Dogecoin (DOGE) $ 0.060097