Tuesday, December 24, 2024
HomeCyber AttackHackers Abusing Open RDP ports For Remote Access using Windows Backdoor Malware

Hackers Abusing Open RDP ports For Remote Access using Windows Backdoor Malware

Published on

SIEM as a Service

Recently, security researchers have discovered a new version of Windows malware that opens the RDP port on the Windows PCs for future remote access.

The security researcher of SentinelOne, Jason Reaves, has revealed that this new version of malware is known as ‘Sarwent,’ and it has been in use since 2018.

Currently, this new version of the Sarwent malware is actively getting attention from several security experts.

- Advertisement - SIEM as a Service

A tweet from the security researcher, Vitali Kremez, surfaced at the beginning of this year, 2020, in which he mentioned a few information about this Sarwent malware.

Security experts have also clarified that it is not yet confirmed, exactly how Sarwent is distributed, it may be possible that this may happen through other malware. Moreover, the earlier versions of Sarwent were developed to install additional malware on compromised PCs.

Apart from this, the operators of Sarwent malware are most likely serving to sell access to these compromised systems on the hackers’ portals and forums, as it’s one of the most common methods to monetize the RDP-capable hosts.

Sarwent Infection Functionality

Sarwent malware is still being actively developed and used by the hackers, but, with new commands and a focus on Remote Desktop Protocol (RDP). The new version of Sarwent stands out for its ability to execute custom CLI commands through the Windows Command Prompt and PowerShell utilities. 

Although this new feature is highly intrusive on its own, but, the security experts have claimed that Sarwent also received another new feature with the update, and it’s the ability to registers a new Windows user account on each infected host.

Once Sarwent is active on a system, the malware creates a new Windows user account, modifies the Firewall, and then opens the RDP ports.

In short, the attackers will be able to use the new Windows user they created on the infected system to access the host without being blocked by the Windows firewall.

According to the security researcher of SentinelOne, Jason Reaves, this is done in order to gain future remote access on the compromised system. This may involve the attackers themselves, but the investigator does not rule out the possibility that the RDP access is resold to other criminals.

The limited number of original commands clearly shows that the functionality of this malware, ‘Sarwent,’ historically loops around being a loader, and here are the limited original commands:-

|download|
|update|
|vnc|

But, recently, the attackers have modified the Sarwent malware to add a few number of commands that mainly concentrate on the backdoor or RAT like abilities, and here are the new addition of commands:-

|cmd|
|powershell|
|rdp|

Apart from this, the operators behind Sarwent malware may use the RDP access for themselves only, to steal the proprietary data or install ransomware, or they can rent the RDP access to other hackers, as we told earlier.

Indicators of Compromise (IOC)

Along with the description of the malware, the security expert at SentinelOne, Jason Reaves, has also presented the indicators of compromise (IOCs).

Hash:
3f7fb64ec24a5e9a8cfb6160fad37d33fed6547c
ab57769dd4e4d4720eedaca31198fd7a68b7ff80
d297761f97b2ead98a96b374d5d9dac504a9a134
106f8c7ddbf265fc108a7501b6af292000dd5219
83b33392e045425e9330a7f009801b53e3ab472a
2979160112ea2de4f4e1b9224085efbbedafb593

An IOC is a sign to detect the presence of a specific threat like this within the network, and these include IP addresses, hashes, and domains.

So, what do you think about this? Share your views and thoughts in the comment section below.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target...