Friday, March 29, 2024

Hackers Abusing Open RDP ports For Remote Access using Windows Backdoor Malware

Recently, security researchers have discovered a new version of Windows malware that opens the RDP port on the Windows PCs for future remote access.

The security researcher of SentinelOne, Jason Reaves, has revealed that this new version of malware is known as ‘Sarwent,’ and it has been in use since 2018.

Currently, this new version of the Sarwent malware is actively getting attention from several security experts.

A tweet from the security researcher, Vitali Kremez, surfaced at the beginning of this year, 2020, in which he mentioned a few information about this Sarwent malware.

Security experts have also clarified that it is not yet confirmed, exactly how Sarwent is distributed, it may be possible that this may happen through other malware. Moreover, the earlier versions of Sarwent were developed to install additional malware on compromised PCs.

Apart from this, the operators of Sarwent malware are most likely serving to sell access to these compromised systems on the hackers’ portals and forums, as it’s one of the most common methods to monetize the RDP-capable hosts.

Sarwent Infection Functionality

Sarwent malware is still being actively developed and used by the hackers, but, with new commands and a focus on Remote Desktop Protocol (RDP). The new version of Sarwent stands out for its ability to execute custom CLI commands through the Windows Command Prompt and PowerShell utilities. 

Although this new feature is highly intrusive on its own, but, the security experts have claimed that Sarwent also received another new feature with the update, and it’s the ability to registers a new Windows user account on each infected host.

Once Sarwent is active on a system, the malware creates a new Windows user account, modifies the Firewall, and then opens the RDP ports.

In short, the attackers will be able to use the new Windows user they created on the infected system to access the host without being blocked by the Windows firewall.

According to the security researcher of SentinelOne, Jason Reaves, this is done in order to gain future remote access on the compromised system. This may involve the attackers themselves, but the investigator does not rule out the possibility that the RDP access is resold to other criminals.

The limited number of original commands clearly shows that the functionality of this malware, ‘Sarwent,’ historically loops around being a loader, and here are the limited original commands:-

|download|
|update|
|vnc|

But, recently, the attackers have modified the Sarwent malware to add a few number of commands that mainly concentrate on the backdoor or RAT like abilities, and here are the new addition of commands:-

|cmd|
|powershell|
|rdp|

Apart from this, the operators behind Sarwent malware may use the RDP access for themselves only, to steal the proprietary data or install ransomware, or they can rent the RDP access to other hackers, as we told earlier.

Indicators of Compromise (IOC)

Along with the description of the malware, the security expert at SentinelOne, Jason Reaves, has also presented the indicators of compromise (IOCs).

Hash:
3f7fb64ec24a5e9a8cfb6160fad37d33fed6547c
ab57769dd4e4d4720eedaca31198fd7a68b7ff80
d297761f97b2ead98a96b374d5d9dac504a9a134
106f8c7ddbf265fc108a7501b6af292000dd5219
83b33392e045425e9330a7f009801b53e3ab472a
2979160112ea2de4f4e1b9224085efbbedafb593

An IOC is a sign to detect the presence of a specific threat like this within the network, and these include IP addresses, hashes, and domains.

So, what do you think about this? Share your views and thoughts in the comment section below.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles