Security researchers have discovered a new version of Sarwent malware that has new command functionality, such as executing PowerShell commands and preference for using RDP.
Dating back to 2018, Sarwent has mostly been known as a dropper malware with a limited set of commands, such as download, update and vnc. Dropper malware is a kind of Trojan designed to install other malware on a target system.
Researchers at SentinelOne warned that attackers are now using a new version of the Sarwent malware to target the Remote Desktop Protocol (RDP) port on Windows systems to execute backdoor commands.
“There has recently been the addition of a number of commands that would normally be seen in malware that focus more on backdoor or RAT like capabilities,” said Jason Reaves, Principal Threat Researcher at SentinelLabs, in a recent blog post.
Reaves also said Sarwent uses the same binary signer as one or more TrickBot operators.
Futhermore, Reaves pointed out that the “rdp” command and code execution looks to perform tasks, such as:
- Add users
- List groups and users
- Punch a hole in local firewall.
These functions could forewarn actors are preparing to target systems for RDP access at a later time.
Readers may also remember attackers have been known to exploit RDP-related vulnerabilities, such as the BlueKeep vulnerability CVE-2019-0708.
In conclusion, cyber criminals likely will continue to leverage malware, like Sarwent, to leverage RDP for monetization such as selling access to systems.