Security investigations have found malware that opens Remote desktop ports on the firewall. The RDP (Remote desktop) ports are set up, this makes it easier for attackers to abuse the RDP ports later on.
The Sarwent malware has been in use since 2018. At the beginning of 2020 Vitali Kwemez sent a tweet about the Sarwent malware but there is little information about the Sarwent malware on the internet.
The way in which Sarwent malware is spread is not entirely known; it is suspected that Sarwent is spread via other malware, possibly in botnets.
What is known about Sarwent is that after infection the malware creates a new Windows user account on the computer and opens RDP port 3389 on the computer and in the Firewall. RDP will most likely be opened in order to later access the infected computer through the created Windows user account.
Sarwent IP addresses, MD5 hashes, and domains are known from Sarwent, these details are distributed to IOCs (Indicators of compromise) for companies to detect Sarwent.
