Sarwent Malware Continues to Evolve With Updated Command Functions

Sarwent has received little attention from researchers, but this backdoor malware is still being actively developed, with new commands and a focus on RDP.

Executive Summary

  • Updates to Sarwent malware show a continued interest in backdoor functionality such as executing PowerShell commands.
  • Updates also show a preference for using RDP
  • Sarwent has been seen using the same binary signer as at least one TrickBot operator[1]

Background

Sarwent appears to have been actively used since at least 2018 but not a lot has been publicly reported about it during that time period.

Research Insight

Sarwent functionality has historically revolved around being a loader, as shown by the limited number of original commands:

|download|
|update|
|vnc|

Some other functionality that has remained consistent is its AV(AntiVirus) checking.

Figure 1: AV checks

 

Recent updates include a minor change to their C2 URI structure[2].

Figure 2: C2 checking update

 

Also, there has recently been the addition of a number of commands that would normally be seen in malware that focus more on backdoor or RAT like capabilities.

|cmd|
|powershell|
|rdp|

These are interesting updates and additions; cybercrime groups have continued to try to leverage as much as they can for monetization and RDP continues to be a focus as can be seen in the recent proliferation of services selling access to systems[3].

The ‘cmd’ and ‘powershell’ commands are simply commands to be detonated.

Figure 3: Command line detonations

 

The results are base64 encoded and sent back to the C2 through the matching URL route.

Figure 4: Base64 encode command results

 

C2 routes for sending responses:

/gate/cmd_exec
/gate/powershell_exec

The ‘rdp’ command is a bit different; the code execution looks like it serves to tell the bot to perform a series of tasks:

  • Add a new user
  • List groups and users
  • Punch hole in local firewall
Figure 5: Add new user

 

Figure 6: List network groups and users

 

Figure 7: Allow firewall connections on RDP port

 

This command, then, is more related to setting up the system for RDP access at a later time.

Mitigation & Recommendations

Endpoint:

CommadLine="cmd /c ping localhost & regsvr32 /s *"

Network: A number of network rules already exist in Emerging Threats[4], so I decided to look at adding some Suricata rules that might not be currently covered.

Suricata rules:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Sarwent CMD response Post”; content:”POSt”; http_method; content:”/gate/cmd_exec”; http_uri; classtype:trojan-activity; sid:9000040; rev:1; metadata:author Jason Reaves;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Sarwent Powershell response Post”; content:”POST”; http_method; content:”/gate/powershell_exec”; http_uri; classtype:trojan-activity; sid:9000041; rev:1; metadata:author Jason Reaves;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Sarwent RDP exec response”; content:”GET”; http_method; content:”/gate/rdp_exec?command=”; http_uri; content:”&status=”; http_uri; classtype:trojan-activity; sid:9000042; rev:1; metadata:author Jason Reaves;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Sarwent update exe response”; content:”GET”; http_method; content:”/gate/update_exec?command=”; http_uri; content:”&status=”; http_uri; classtype:trojan-activity; sid:9000043; rev:1; metadata:author Jason Reaves;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”Sarwent update command”; content:”200″; http_stat_code; content:”fHVwZGF0ZX”; startswith; http_server_body; flow:to_client, established; classtype:trojan-activity; sid:9000044; rev:1; metadata:author Jason Reaves;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”Sarwent download command”; content:”200″; http_stat_code; content:”fGRvd25sb2Fkf”; startswith; http_server_body; flow:to_client, established; classtype:trojan-activity; sid:9000045; rev:1; metadata:author Jason Reaves;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”Sarwent powershell command”; content:”200″; http_stat_code; content:”fHBvd2Vyc2hlbGx8″; startswith; http_server_body; flow:to_client, established; classtype:trojan-activity; sid:9000046; rev:1; metadata:author Jason Reaves;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”Sarwent rdp command”; content:”200″; http_stat_code; content:”fHJkcH”; startswith; http_server_body; flow:to_client, established; classtype:trojan-activity; sid:9000047; rev:1; metadata:author Jason Reaves;)

Indicators of Compromise

Download Location:
whatsmyhomeworthlondonontario[.]ca/wp-admin/version.exe
beurbn[.]com/install.exe

V2 samples

Hash:
3f7fb64ec24a5e9a8cfb6160fad37d33fed6547c
Domains
seoanalyticsproj.xyz
seoanalyticsproewj.xyz
seoanalyticsp34roj.xyz
seoanalyticsptyrroj.xyz
seoanalyticsprojrts.xyz
seoanalyticspro32frghyj.xyz

Hash:
ab57769dd4e4d4720eedaca31198fd7a68b7ff80
Domains
vertuozoff.xyz
vertuozoff.club
vertuozofff.xyz
vertuozofff.com
vertuozofff.club
vertuozoffff.club

Hash:
d297761f97b2ead98a96b374d5d9dac504a9a134
Domains
rabbot.xyz
terobolt.xyz
tebbolt.xyz
rubbolt.xyz
rubbot.xyz
treawot.xyz

Hash:
3eeddeadcc34b89fbdd77384b2b97daff4ccf8cc
Domains
rabbot.xyz
terobolt.xyz
tebbolt.xyz
rubbolt.xyz
rubbot.xyz
treawot.xyz

Hash:
106f8c7ddbf265fc108a7501b6af292000dd5219
Domains
blognews-journal.com
startprojekt.pw
blognews-joural.com
blognews-joural.best
blognews-joural.info
startprojekt.pro

V1 Samples

Hash:
83b33392e045425e9330a7f009801b53e3ab472a
Domains
212.73.150.246
softfaremiks.icu
shopstoregame.icu
shopstoregamese.icu

Hash:
2979160112ea2de4f4e1b9224085efbbedafb593
Domains
shopstoregame.icu
softfaremiks.icu
shopstoregamese.icu shopstoregamese.com shopstoregames.icu

References

1: https://twitter.com/VK_Intel/status/1228833249536987138
2: https://twitter.com/James_inthe_box/status/1228788661006659584
3: https://twitter.com/VK_Intel/status/1242587625409609731
4: https://github.com/silence-is-best/c2db