A Windows malware from 2018 is at large once again. This time the attack opens the RDP for more hackers to intrude.
A recent report from a team of security researchers revealed the presence of a Windows malware dubbed as Sarwent. The said malware may not be as popular as the recently reported attacks but is capable of putting down a device’s defense.
Sarwent malware infection explained
SentinelOne, a team of security researchers declared that it spotted the Sarwent malware once again. The team said that the attack operates by opening the Remote Desktop Protocol (RDP) of a Windows PC.
Having access to the RDP gives hackers the freedom to intrude on the system of the infected device. The attacker will be able to view and install malware remotely.
Jason Reaves, a SentinelOne malware researcher believes that Sarwent grew stronger since its launch in 2018. Reaves added that the malware recently received two critical updates.
Both updates boosted Sarwent’s ability to intrude on a computer’s operating system. The first update gave it access to the Windows Command Prompt and PowerShell utilities where it executes custom CLI commands.
Immediately after the first update, Sarwent received the second one that caught the attention of security researchers. SentinelOne elaborated on how the most recent Sarwent update operates.
The researcher said that the malware creates a new Windows user account, signs in, and enables the Remote Desktop Protocol. It changes the Windows firewall setting and reduces the security level.
Once the Windows firewall gets modified, it now becomes easier for attackers to invade the computer system. Through the open RDP, hackers can control and exploit the infected device externally.
The hacker’s freedom to control the infected host remains as long as the RPD remains open. It also continues as no firewall is preventing any malware attack.
Meanwhile, the SentinelOne representative assured the public that there is yet the limited distribution of the Sarwent malware. He added that the team spotted the attack as a secondary infection to a primary malware.
How to disable the Sarwent malware from Windows PCs
Since it is considered as a secondary infection, directly cleaning out the malware takes more process. Users must remove the source of the malware, in this case the Sarwent itself from the device.
The Sarwent Windows account should also be deleted and the RDP must be closed once again. Modify the Windows firewall and activate the full protection.
SentinelOne is looking at the possibilities of proprietary data-stealing or ransomware installation as the reasons for Sarwent’s existence. They could also be renting the Windows RDP access to other malware gangs.
Image courtesy of TheDigitalArtist/Pixabay