+32 479670903

New Windows Backdoor Malware CowerSnail discovered

by Pablo Brusseel | July 26, 2017 | 0 Comments
New Windows Backdoor Malware CowerSnail discovered

A new kind of Backdoor Malware has been seen on the radar of security researchers. The trojan named CowerSnail is a virus made by the same group that was responsible for the exploitation SambaCry vulnerability that made it possible for them infect a load of Linux servers for the mining of cryptocurrency.

According to a security researcher at Kaspersky named Sergey Yunakovsky, the malware can only do very basic things. It can currently only execute Batch commands it receives from it’s Command and Control (C&C) Server. This means that the infected machine can only be used as a backdoor.

CowerSnail is very unusual in it’s code language. It uses Qt, a coding framework used to develop applications across different operating systems.

Now, the CowerSnail’s C&C server (cl.ezreal.space:20480) is the same server used to deliver the EternalRed crypto miner to the Linux servers with outdated Samba installations who where vulnerable to the SambaCry bug.

“SambaCry was designed for *nix-based systems. CowerSnail, meanwhile, was written using Qt, which most probably means the author didn’t want to go into the details of WinAPI, and preferred to transfer the *nix code ‘as is'” – Sergey Yunakovsky

The fact that both exploits use the same C&C server also suggests that the same group is behind the attacks. Thus making CowerSnail another production by the hacker group behind EternalRed.

Most antiviruses will now pick up the Malware as Backdoor.Win32.CowerSnail, with the MD5 Hash:

5460AC43725997798BAB3EB6474D391F

Yunakovsky also said that by analysing the traffic between the malware and it’s C&C server, he has found clues that the author might be working on IRC functionality so he could control the infected machines via the IRC-protocol, listing his commands there.

Usually IRC is often used for botnets, which might be a clue as to what the author wants to do with this malware.

Currently the malware can do the following things:

  • Update itself
  • Install and Uninstall itself as a Windows Service.
  • Execute Batch commands
  • Collect information about the infected machine (OS, hostname, OS type, time, processor info, memory info, etc.)