Lazy Threat Actors Push the New CowerSnail Windows Backdoor
You may have heard of Samba. No, we're not talking about the Brazilian dance, we're referring to the open source implementation of the Server Message Block (SMB) protocol that allows Windows and Unix machines to use the same shared resources on a network. SMB, as you may have also heard, made quite a few headlines a few months ago when a vulnerability in the protocol allowed the WannaCry ransomware to run rampant. Mere days after the WannaCry outbreak, researchers discovered a security flaw in Samba as well. They decided to name it SambaCry.
It should be noted that SambaCry works on Unix-based systems only, and Samba did patch it in May, so it was never really going to have as much of an impact as the flaw that allowed the WannaCry disaster. Nevertheless, being a vulnerability, someone was bound to exploit it. Sure enough, as Trend Micro researchers noted recently, a piece of malware called Shellbind has been using it to compromise Network Attached Storage (NAS) devices. Shellbind wasn't the first one, though.
In June, researchers from Kaspersky wrote about a couple of Linux Trojans, a backdoor and a cryptocurrency miner, that had been exploiting SambaCry even before its public disclosure. Right now, they are saying that the same threat actors have created a new backdoor, this time for Windows PCs.
For reasons that are not clear, it's called CowerSnail and Kaspersky's analysis of it suggests that its authors weren't trying terribly hard when they were creating it. The cybercrooks didn't even move the Command and Control (C&C) server and instead opted to reuse the one they employed with their Linux backdoor.
CowerSnail isn't especially sophisticated, either. According to the Virus Total analysis of Kaspersky's sample, the backdoor comes as an EXE file which might raise suspicion among some of the potential victims. Sadly, there's no information on the distribution method.
The executable's first task is to try to elevate the privilege of its process and thread. Then, it attempts to register its communication thread as a Windows service. Regardless of whether it's successful or not, it continues by pinging the C&C over the IRC protocol. The server sends a "sysinfo" request, and the malware responds with a total of fourteen strings containing all sorts of information about the infected host. These fourteen strings register the host with the C&C, and the infection is complete.
Next, CowerSnail pings the server again and waits for commands. The commands can tell the malware to:
- Update itself
- Execute batch commands
- Install the backdoor as a service
- Remove itself
- Collect system information
Kaspersky pointed out that the threat actors have used a software development kit called Qt to take the Linux backdoor's code and adapt it to work on Windows machines. The changes to the code itself have been kept to a minimum. In other words, CowerSnail was something of a side project, and the authors didn't really put that much effort into it. That said, it's not something you want to have on your PC.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.