Sarwent
The Sarwent malware first showed up in 2018. Back then, the Sarwent threat was a very basic piece of malware, which only served as a first-stage payload that allows the attackers to plant other threats on the infected computer. However, malware experts have spotted new iterations of the Sarwent threat that appear to be far superior to the earliest variants of this Trojan.
The latest variants of the Sarwent Trojan pack two main features, which were not available on earlier versions of the threat:
- They are capable of utilizing the PowerShell utility and the Windows Command Prompt service to execute remote commands on the compromised host.
- They are able to set up a new Windows user, which can be used to allow the attackers to use RDP (Remote Desktop Protocol) services and therefore access the host via an RDP connection.
This Week in Malware Ep8: Sarwent Malware #thisweekinmalware
Using an RDP connection to infiltrate the targeted system would allow the Sarwent Trojan to evade security measures as the firewall for the newly set up Windows user will not be configured appropriately.
So far, the cyber crooks behind the Sarwent Trojan have not utilized the RDP feature of the threat. However, this does not implies that they do not intend to use it as this feature would allow them to collect information, inject additional payloads on the compromised PC, plant a ransomware threat that will blackmail the user, etc. However, some cybercriminals opt to rent out or sell their creations rather than use them themselves. This is a common occurrence in the world of cybercrime. Selling or renting out hacking tools helps their creators generate revenue without exposing themselves to the potential negative repercussions that could follow if they execute the attacks themselves.
If the Sarwent threat has compromised your computer, it may be rather difficult to remove it completely as it applies certain major changes to the settings of the OS. However, if you use a reputable, modern anti-virus solution, you will be able to fully clear your system from the Sarwent Trojan. After removing the Sarwent threat from your PC, do not forget to remove the Windows account set up by this Trojan.
File System Details
| # | File Name |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|
| 1. | 3f7fb64ec24a5e9a8cfb6160fad37d33fed6547c | |
| 2. | ab57769dd4e4d4720eedaca31198fd7a68b7ff80 | |
| 3. | d297761f97b2ead98a96b374d5d9dac504a9a134 | |
| 4. | 3eeddeadcc34b89fbdd77384b2b97daff4ccf8cc | |
| 5. | 106f8c7ddbf265fc108a7501b6af292000dd5219 | |
| 6. | 83b33392e045425e9330a7f009801b53e3ab472a | |
| 7. | 2979160112ea2de4f4e1b9224085efbbedafb593 |
URLs
Sarwent may call the following URLs:
| 212.73.150.246 |
| blognews-joural.best |
| blognews-joural.com |
| blognews-joural.info |
| blognews-journal.com |
| rabbot.xyz |
| rubbolt.xyz |
| rubbot.xyz |
| seoanalyticsp34roj.xyz |
| seoanalyticspro32frghyj.xyz |
| seoanalyticsproewj.xyz |
| seoanalyticsproj.xyz |
| seoanalyticsprojrts.xyz |
| seoanalyticsptyrroj.xyz |
| shopstoregame.icu |
| shopstoregames.icu |
| shopstoregamese.com |
| shopstoregamese.icu |
| softfaremiks.icu |
| startprojekt.pro |
| startprojekt.pw |
| tebbolt.xyz |
| terobolt.xyz |
| treawot.xyz |
| vertuozoff.club |
| vertuozoff.xyz |
| vertuozofff.club |
| vertuozofff.com |
| vertuozofff.xyz |
| vertuozoffff.club |
