Thursday, March 28, 2024

CowerSnail Backdoor from the Developers of SambaCry

Security experts from Kaspersky labs identified a new backdoor Trojan CowerSnail that targets Windows system was created by the Authors of SambaCry that exploits Linux systems running with older versions of Samba(3.5.0).

Both the Sambacry and CowerSnail using the same C&C server which indicates CowerSnail also created by the same team. C&C address cl.ezreal.space:20480.

CowerSnail developed using Qt which is a Cross platform framework which benefits in the easy exchange of source code between systems and they are also benefited with the File size(3MB).It was discovered by Kaspersky Lab as Backdoor.Win32.CowerSnail and named as CowerSnail.

Also read SambaCry Vulnerability used in Deploying Payloads Targeting IoT devices

Execution Flow

Once launched it tries to escalate the priority and then connects to C&C server, it uses StartServiceCtrlDispatcher to initiate the communication.

If the thread is successfully launched as a service, further communication with the C&C is carried out through that service; otherwise, CowerSnail operates without it. CowerSnail can also accept various variables as input, such as the C&C host. When these are absent, the required data is extracted from the file itself. Says Yunakovsky
CowerSnail Backdoor from the Developers of SambaCry
Source: securelist

Communication to C&C server carried through IRC protocol, which is common nowadays with IoT devices. Once the infected device registered in the server, CowerSnail pings the server and wait for the commands.

Commands from C&C Server

CowerSnail performs all the standard backdoor functions.

  • Receive update (local update)
  • Execute any command (BatchCommand)
  • Install CowerSnail as a service, using the Service Control Manager command line interface (Install)
  • Uninstall CowerSnail from service list (Uninstall)
  • Collect system information:
    • Timestamp
    • Installed OS type (e.g. Windows)
    • OS name
    • Host name
    • Information about network interfaces
    • ABI
    • Core processor architecture
    • Information about physical memory
Yunakovsky Says After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future.

Common Defence’s to stay safe

  • Don’t open the attachments that you are not expecting.
  • Patch or Update your software.
  • Use a reputable security suite.
  • Download applications from Reputed sites.
  • Stay strict with CIA Cycle.
Website

Latest articles

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles