Jump to content
Kev

Sarwent malware has new command functions, targets RDP

Recommended Posts

Malware_inBox.jpg

 

Security researchers have discovered a new version of Sarwent malware that has new command functionality, such as executing PowerShell commands and preference for using RDP.

 

Dating back to 2018, Sarwent has mostly been known as a dropper malware with a limited set of commands, such as download, update and vnc. Dropper malware is a kind of Trojan designed to install other malware on a target system.

 

Researchers at SentinelOne warned that attackers are now using a new version of the Sarwent malware to target the Remote Desktop Protocol (RDP) port on Windows systems to execute backdoor commands.

Quote

“There has recently been the addition of a number of commands that would normally be seen in malware that focus more on backdoor or RAT like capabilities,” said Jason Reaves, Principal Threat Researcher at SentinelLabs, in a recent blog post.

 

Reaves also said Sarwent uses the same binary signer as one or more TrickBot operators.

 

Futhermore, Reaves pointed out that the “rdp” command and code execution looks to perform tasks, such as:

  • Add users
  • List groups and users
  • Punch a hole in local firewall.

 

These functions could forewarn actors are preparing to target systems for RDP access at a later time.

 

Readers may also remember attackers have been known to exploit RDP-related vulnerabilities, such as the BlueKeep vulnerability CVE-2019-0708.

 

In conclusion, cyber criminals likely will continue to leverage malware, like Sarwent, to leverage RDP for monetization such as selling access to systems.

 

Via securezoo.com

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...