A new version of the Sarwent malware can open the Remote Desktop Protocol (RDP) port on target Windows computers to make sure that crooks can find their way back into the system through the backdoor.
Whether that access is used later by the same crooks or sold to ransomware gangs or cyber espionage groups is unknown, but affected users should know that removing the malware does not close that particular “backdoor”.
Sarwent’s new capabilities
Sarwent is a piece of malware that started out as a loader for other malware, but has recently been updated with two new functionalities, SentinelOne researchers discovered.
These never variants can now also:
- Execute commands via Windows Command Prompt and PowerShell
- Create a new Windows user account, enable the RDP service for it, and make changes to the Windows firewall so that RDP access to the infected machine is allowed
Removing the malware from the infected computer will not automatically close the RDP “hole”. Users, admins or paid “cleaners” also have to remove the user account set up by the malware and close the RDP access port in the firewall.
RDP access: A hot commodity
Gaining access to Windows machines via the Remote Desktop Protocol has become a preferred tactic of cyber crooks and ransomware gangs, though they usually scan for machines/servers that already have RDP enabled and then they try to brute-force the passwords that safeguard access through it.
Since COVID-19 spread across the globe and many employees started working from home, RDP use has soared.
The crooks wielding Sarwent want to increase the chances of retaining access to the machine after the malware is found and removed.
It might be that they want to use that access themselves, to reinfect the computer at a later date. It’s also possible that they plant to rent or sell that access to other cyber gangs or individuals.
Access to corporate networks and systems is regularly sold on dark web forums and marketplaces.