CowerSnail Backdoor from the Developers of SambaCry

Security experts from Kaspersky labs identified a new backdoor Trojan CowerSnail that targets Windows system was created by the Authors of SambaCry that exploits Linux systems running with older versions of Samba(3.5.0).

Both the Sambacry and CowerSnail using the same C&C server which indicates CowerSnail also created by the same team. C&C address cl.ezreal.space:20480.

CowerSnail developed using Qt which is a Cross platform framework which benefits in the easy exchange of source code between systems and they are also benefited with the File size(3MB).It was discovered by Kaspersky Lab as Backdoor.Win32.CowerSnail and named as CowerSnail.

Also read SambaCry Vulnerability used in Deploying Payloads Targeting IoT devices

Execution Flow

Once launched it tries to escalate the priority and then connects to C&C server, it uses StartServiceCtrlDispatcher to initiate the communication.

If the thread is successfully launched as a service, further communication with the C&C is carried out through that service; otherwise, CowerSnail operates without it. CowerSnail can also accept various variables as input, such as the C&C host. When these are absent, the required data is extracted from the file itself. Says Yunakovsky

Communication to C&C server carried through IRC protocol, which is common nowadays with IoT devices. Once the infected device registered in the server, CowerSnail pings the server and wait for the commands.

Commands from C&C Server

CowerSnail performs all the standard backdoor functions.

• Receive update (local update)
• Execute any command (BatchCommand)
• Install CowerSnail as a service, using the Service Control Manager command line interface (Install)
• Uninstall CowerSnail from service list (Uninstall)
• Collect system information:
  • Timestamp
  • Installed OS type (e.g. Windows)
  • OS name
  • Host name
  • Information about network interfaces
  • ABI
  • Core processor architecture
  • Information about physical memory

Yunakovsky Says After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future.

Common Defence’s to stay safe

• Don’t open the attachments that you are not expecting.
• Patch or Update your software.
• Use a reputable security suite.
• Download applications from Reputed sites.
• Stay strict with CIA Cycle.