Sunday, October 6, 2024
HomeBackdoorCowerSnail Backdoor from the Developers of SambaCry

CowerSnail Backdoor from the Developers of SambaCry

Published on

Security experts from Kaspersky labs identified a new backdoor Trojan CowerSnail that targets Windows system was created by the Authors of SambaCry that exploits Linux systems running with older versions of Samba(3.5.0).

Both the Sambacry and CowerSnail using the same C&C server which indicates CowerSnail also created by the same team. C&C address cl.ezreal.space:20480.

CowerSnail developed using Qt which is a Cross platform framework which benefits in the easy exchange of source code between systems and they are also benefited with the File size(3MB).It was discovered by Kaspersky Lab as Backdoor.Win32.CowerSnail and named as CowerSnail.

- Advertisement - EHA

Also read SambaCry Vulnerability used in Deploying Payloads Targeting IoT devices

Execution Flow

Once launched it tries to escalate the priority and then connects to C&C server, it uses StartServiceCtrlDispatcher to initiate the communication.

If the thread is successfully launched as a service, further communication with the C&C is carried out through that service; otherwise, CowerSnail operates without it. CowerSnail can also accept various variables as input, such as the C&C host. When these are absent, the required data is extracted from the file itself. Says Yunakovsky
CowerSnail Backdoor from the Developers of SambaCry
Source: securelist

Communication to C&C server carried through IRC protocol, which is common nowadays with IoT devices. Once the infected device registered in the server, CowerSnail pings the server and wait for the commands.

Commands from C&C Server

CowerSnail performs all the standard backdoor functions.

  • Receive update (local update)
  • Execute any command (BatchCommand)
  • Install CowerSnail as a service, using the Service Control Manager command line interface (Install)
  • Uninstall CowerSnail from service list (Uninstall)
  • Collect system information:
    • Timestamp
    • Installed OS type (e.g. Windows)
    • OS name
    • Host name
    • Information about network interfaces
    • ABI
    • Core processor architecture
    • Information about physical memory
Yunakovsky Says After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future.

Common Defence’s to stay safe

  • Don’t open the attachments that you are not expecting.
  • Patch or Update your software.
  • Use a reputable security suite.
  • Download applications from Reputed sites.
  • Stay strict with CIA Cycle.

Latest articles

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Researchers Backdoored Azure Automation Account Packages And Runtime Environments

Runtime environments offer a flexible way to customize Automation Account Runbooks with specific packages....

Hackers Using Supershell Malware To Attack Linux SSH Servers

Researchers identified an attack campaign targeting poorly secured Linux SSH servers, where the attack...

UNC2970 Hackers Attacking Job Seekers Using Weaponized PDF Reader

UNC2970, a North Korean cyber espionage group, used customized SumatraPDF trojans to deliver MISTPEN...