Sarwent Malware Opens RDP Ports For Future Attacks
Researchers warn of a new variant of Sarwent malware. It attacks Windows systems and opens ports for the Remote Desktop Protocol so that hackers can access the infected computers remotely. The researchers assume that backers do not want to use the access themselves and will sell it instead. It creates a new user and changes the Windows firewall. Sarwent is currently spreading through other malware that was previously injected.
Sarwent is a little-known backdoor Trojan, which has been around since 2018. Previous versions were limited to a few functions such as downloading and installing additional malware. The malware is now able to execute any commands via the command prompt or PowerShell. Sarwent create a new user account, activate the RDP service and configure the Windows firewall for external access. The new Windows account then serves as full access to the infected host. It complicates cleaning up an affected system, ,Not only would Sarwent have to be removed, but also the original malware and the new user.
It is unclear why the backers set up remote access. Researchers suspects that the hackers are out to steal confidential data or install other malware such as ransomware. They could also rent the RDP access to other hackers.