Sunday, June 16, 2024

CowerSnail Backdoor from the Developers of SambaCry

Security experts from Kaspersky labs identified a new backdoor Trojan CowerSnail that targets Windows system was created by the Authors of SambaCry that exploits Linux systems running with older versions of Samba(3.5.0).

Both the Sambacry and CowerSnail using the same C&C server which indicates CowerSnail also created by the same team. C&C address cl.ezreal.space:20480.

CowerSnail developed using Qt which is a Cross platform framework which benefits in the easy exchange of source code between systems and they are also benefited with the File size(3MB).It was discovered by Kaspersky Lab as Backdoor.Win32.CowerSnail and named as CowerSnail.

Also read SambaCry Vulnerability used in Deploying Payloads Targeting IoT devices

Execution Flow

Once launched it tries to escalate the priority and then connects to C&C server, it uses StartServiceCtrlDispatcher to initiate the communication.

If the thread is successfully launched as a service, further communication with the C&C is carried out through that service; otherwise, CowerSnail operates without it. CowerSnail can also accept various variables as input, such as the C&C host. When these are absent, the required data is extracted from the file itself. Says Yunakovsky
CowerSnail Backdoor from the Developers of SambaCry
Source: securelist

Communication to C&C server carried through IRC protocol, which is common nowadays with IoT devices. Once the infected device registered in the server, CowerSnail pings the server and wait for the commands.

Commands from C&C Server

CowerSnail performs all the standard backdoor functions.

  • Receive update (local update)
  • Execute any command (BatchCommand)
  • Install CowerSnail as a service, using the Service Control Manager command line interface (Install)
  • Uninstall CowerSnail from service list (Uninstall)
  • Collect system information:
    • Timestamp
    • Installed OS type (e.g. Windows)
    • OS name
    • Host name
    • Information about network interfaces
    • ABI
    • Core processor architecture
    • Information about physical memory
Yunakovsky Says After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future.

Common Defence’s to stay safe

  • Don’t open the attachments that you are not expecting.
  • Patch or Update your software.
  • Use a reputable security suite.
  • Download applications from Reputed sites.
  • Stay strict with CIA Cycle.
Website

Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles