Sentinel Labs: Cybercrime is spreading a new version of the Sarwent malware, that can open the RDP port on targeted Windows computers
Cybercrime is spreading a new version of the Sarwent malware, that can open the Remote Desktop Protocol (RDP) port on targeted Windows computers. It has been discovered by Sentinel Labs cyber security experts. The malicious code now can execute commands via Windows Command Prompt and PowerShell, and create a new Windows user account, enable the RDP service for it, and make changes to the Windows firewall so that RDP access to the infected machine is allowed. Moreover, removing the malware it’s not sufficient to stop the threat. In fact, the procedure don’t automatically close the RDP “hole”. To clean the infected machine, it’s needed to remove the user account set up by the threat actor code and close the RDP access port in the firewall.