Sarwent
Sarwent is a backdoor Trojan that helps attackers control Windows PCs. Updates to this program are usually found alongside high-level threats like spyware, provide an in-depth Remote Desktop-based backdoor that may require additional cleanup by the administrator. Users can protect themselves with typical anti-malware products for deleting Sarwent, and should remain careful around infection sources like e-mail attachments.
Aging but Still Growing Trojans
With activity extending back at least two years, Sarwent is a non-specialized backdoor Trojan that offers remote controlling features over Windows PCs. Its payload is narrower of definition than those of more advanced, predominantly reconnaissance-based threats. However, updates are changing Sarwent's capabilities gradually and giving attackers more leverage over infected computers.
Since it doesn't install itself directly, Sarwent usually is part of an infection with another, high-level threat, like Predator the Thief – a spyware program with specialized functions for collecting Web account and cryptocurrency wallet data. Sarwent provides general-purpose backdoor functionality and a file transfer feature that lets attackers download or upload at their pleasure. Still, the new add-ons to Sarwent in 2020 show its ongoing development:
One new function is a firewall-bypassing feature for letting attackers remotely administrate the computer. It includes an independent Windows account and uses a standard Remote Desktop Protocol service.
Sarwent also sees improvements to its support for system commands, including Command Prompt and PowerShell capabilities (similarly to PowerTrick, Varenyky and many others).
The overall applicability of this revamped payload is highly flexible, and threat actors could use Sarwent connections for various crimes, such as mining cryptocurrency, collecting data or ransoming files by encrypting them. Victims also are endangered by any independent attack capabilities from the threat that's installing Sarwent in the first place, like experiencing financial account hijackings.
The Swinging Door into Your Computer that Anyone can Walk Through for a Price
Although Sarwent's threat actor may retain exclusive access to infected systems, historical patterns of deployment for backdoor Trojans of this stripe suggest a different future. Threat actors without ties to specialized intelligence recon entities (a la Thrip) often sell access to compromised PCs and networks on the dark Web. This third-party-offloading of Sarwent's backdoor gives the criminals controlling Sarwent a dependable profit without the micromanagement or risk of maintaining a banking Trojan campaign, mining for Bitcoins or similar attacks.
Doublechecking Windows accounts, firewall settings, and other, tampered-with Windows infrastructure may help users with identifying Sarwent installations casually. Network-monitoring tools also should remain capable of flagging traffic associated with any known Command & Control domains. Inadequately-secured business networks are at high risk of an attack, especially, which may compromise a 'watering hole' website pertinent to the industry's traffic or send customized e-mail phishing messages.
If fully-patched, anti-malware products should find and delete Sarwent, although additional cleanup of associated components and re-securing RDP settings will be necessary.
Sarwent is a subtle pivot in how the Trojan does its business and means that hackers will have an easier time accessing systems than ever before. It may not innovate much, but another competent backdoor service on the Black Market isn't good tidings for any business.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.