Sunday, December 3, 2023

CowerSnail Backdoor from the Developers of SambaCry

Security experts from Kaspersky labs identified a new backdoor Trojan CowerSnail that targets Windows system was created by the Authors of SambaCry that exploits Linux systems running with older versions of Samba(3.5.0).

Both the Sambacry and CowerSnail using the same C&C server which indicates CowerSnail also created by the same team. C&C address cl.ezreal.space:20480.

CowerSnail developed using Qt which is a Cross platform framework which benefits in the easy exchange of source code between systems and they are also benefited with the File size(3MB).It was discovered by Kaspersky Lab as Backdoor.Win32.CowerSnail and named as CowerSnail.

Also read SambaCry Vulnerability used in Deploying Payloads Targeting IoT devices

Execution Flow

Once launched it tries to escalate the priority and then connects to C&C server, it uses StartServiceCtrlDispatcher to initiate the communication.

If the thread is successfully launched as a service, further communication with the C&C is carried out through that service; otherwise, CowerSnail operates without it. CowerSnail can also accept various variables as input, such as the C&C host. When these are absent, the required data is extracted from the file itself. Says Yunakovsky
CowerSnail Backdoor from the Developers of SambaCry
Source: securelist

Communication to C&C server carried through IRC protocol, which is common nowadays with IoT devices. Once the infected device registered in the server, CowerSnail pings the server and wait for the commands.

Commands from C&C Server

CowerSnail performs all the standard backdoor functions.

  • Receive update (local update)
  • Execute any command (BatchCommand)
  • Install CowerSnail as a service, using the Service Control Manager command line interface (Install)
  • Uninstall CowerSnail from service list (Uninstall)
  • Collect system information:
    • Timestamp
    • Installed OS type (e.g. Windows)
    • OS name
    • Host name
    • Information about network interfaces
    • ABI
    • Core processor architecture
    • Information about physical memory
Yunakovsky Says After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future.

Common Defence’s to stay safe

  • Don’t open the attachments that you are not expecting.
  • Patch or Update your software.
  • Use a reputable security suite.
  • Download applications from Reputed sites.
  • Stay strict with CIA Cycle.
Website

Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Booking.com Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles