Categories: Security

Windows 2018 malware returns and opens RDP for more hackers


A Windows malware from 2018 is at large once again. This time the attack opens the RDP for more hackers to intrude.

A recent report from a team of security researchers revealed the presence of a Windows malware dubbed as Sarwent. The said malware may not be as popular as the recently reported attacks but is capable of putting down a device’s defense.

Sarwent malware infection explained

SentinelOne, a team of security researchers declared that it spotted the Sarwent malware once again. The team said that the attack operates by opening the Remote Desktop Protocol (RDP) of a Windows PC.

Having access to the RDP gives hackers the freedom to intrude on the system of the infected device. The attacker will be able to view and install malware remotely.

Jason Reaves, a SentinelOne malware researcher believes that Sarwent grew stronger since its launch in 2018.  Reaves added that the malware recently received two critical updates.

Both updates boosted Sarwent’s ability to intrude on a computer’s operating system. The first update gave it access to the Windows Command Prompt and PowerShell utilities where it executes custom CLI commands.

Immediately after the first update, Sarwent received the second one that caught the attention of security researchers. SentinelOne elaborated on how the most recent Sarwent update operates.

The researcher said that the malware creates a new Windows user account, signs in, and enables the Remote Desktop Protocol. It changes the Windows firewall setting and reduces the security level.

Once the Windows firewall gets modified, it now becomes easier for attackers to invade the computer system. Through the open RDP, hackers can control and exploit the infected device externally.

The hacker’s freedom to control the infected host remains as long as the RPD remains open. It also continues as no firewall is preventing any malware attack.

Meanwhile, the SentinelOne representative assured the public that there is yet the limited distribution of the Sarwent malware. He added that the team spotted the attack as a secondary infection to a primary malware.

How to disable the Sarwent malware from Windows PCs

Since it is considered as a secondary infection, directly cleaning out the malware takes more process. Users must remove the source of the malware, in this case the Sarwent itself from the device.

The Sarwent Windows account should also be deleted and the RDP must be closed once again. Modify the Windows firewall and activate the full protection.

SentinelOne is looking at the possibilities of proprietary data-stealing or ransomware installation as the reasons for Sarwent’s existence. They could also be renting the Windows RDP access to other malware gangs.

Image courtesy of TheDigitalArtist/Pixabay

Leah Yecla

Published by
Leah Yecla

Recent Posts

WHO plans COVID-19 vaccine insurance scheme for 92 low-income countries

WHO set up a vaccine system for tying up a reward in poverty striking nations.…

12 mins ago

COVID-19: Once you have antibodies, are you safe?

Know whether we are protected for life once we have healed entirely and possess the…

42 mins ago

Amazon pegs COVID-19 costs at an estimated $4 billion next quarter

Amazon begins to ramp up its in-house COVID-19 testing plan with capacity spanning 50,000 tests…

57 mins ago