Windows malware opens RDP ports on PCs for future remote access

May 23, 2020

Security researchers say they’ve spotted a new version of the Sarwent malware that opens RDP (Remote Desktop Protocol) ports on infected computers so hackers could gain hands-on access to infected hosts.

Researchers from SentinelOne, who spotted this new version, believe the Sarwent operators are most likely preparing to sell access to these systems on the cybercrime underworld, a common method of monetizing RDP-capable hosts.

The Sarwent malware

The Sarwent malware is a lesser-known backdoor trojan that has been around since 2018. In its previous versions, the malware contained a limited set of functionality, such as having the ability to download and install other malware on compromised computers.

But in a recent campaign spotted over the past weeks, SentinelOne malware analyst Jason Reaves says Sarwent received two critical updates.

The first is the ability to execute custom CLI commands via the Windows Command Prompt and PowerShell utilities.

But while this new feature is pretty intrusive on its own, the researcher says Sarwent also received another new feature with this most recent update.

Reaves says Sarwent now registers a new Windows user account on each infected host, enables the RDP service, and then modifies the Windows firewall to allow for external RDP access to the infected host.

This means that Sarwent operators can use the new Windows user they created to access an infected host without being blocked by the local firewall.

In an interview today, Reaves told ZDNet that the distribution of this new Sarwent version is limited, for the time being.

“I’ve only seen this new version downloaded as a secondary infection to other malware — as an example Predator the Thief,” Reaves told ZDNet.

Because of the current distribution scheme, cleaning up a Sarwent infection is “a bit more complicated,” the researcher added.

This includes removing Sarwent, the original malware that installed it, removing the new Windows user, and then closing the RDP access port in the Windows firewall.

RDP access for what?

Currently, it still remains a mystery what Sarwent is doing with the RDP access it is gaining on all infected hosts.

“Normally, development of malware in the crimeware domain is determined by the desire to monetize something, or by customer demand for functionality,” Reaves told ZDNet.

Several theories exist. The Sarwent gang could use the RDP access themselves (to steal proprietary data or install ransomware), they could rent the RDP access to other cybercrime or ransomware gangs, or they could be listing the RDP endpoints on so-called “RDP shops,” like the one listed below.

Indicators of compromise (IOCs) for the new Sarwent malware version are included in SentinelOne’s Sarwent report. Security teams can use these IOCs to hunt for Sarwent infections on their computer fleets.