A new Windows Backdoor dubbed CowerSnail linked to the recently discovered SHELLBIND SambaCry Linux malware is discovered by the security researchers at Kaspersky lab.
SHELLBIND has infected most network-attached storage (NAS) appliances, it exploits the Samba vulnerability (also known as SambaCry and EternalRed) to upload a shared library to a writable share, and then cause the server to load that library.
This trick allows a remote attacker to execute arbitrary code on the targeted system.
SHELLBIND and the Backdoor.Win32.CowerSnail shares the command and control (C&C) server (cl.ezreal.space:20480).
Kaspersky states that “We recently reported about SambaCry, a new family of Linux Trojans exploiting a vulnerability in the Samba protocol. A week later, Kaspersky Lab analysts managed to detect a malicious program for Windows that was apparently created by the same group responsible for SambaCry. It was the common C&C server that both programs used – cl.ezreal.space:20480 – that suggested a relationship between them.”
CowerSnail first escalates the process priority and the current thread’s priority, then it starts communicating with its Command & Control server through the IRC protocol.
Unlike SambaCry, CowerSnail does not download cryptocurrency mining software by default, but instead provides a standard set of backdoor functions:
- Receive update (LocalUpdate)
- Execute any command (BatchCommand)
- Install CowerSnail as a service, using the Service Control Manager command line interface (Install)
- Uninstall CowerSnail from service list (Uninstall)
- Collect system information:
- Installed OS type (e.g. Windows)
- OS name
- Host name
- Information about network interfaces
- Core processor architecture
- Information about physical memory
SambaCry was designed for *nix-based systems. CowerSnail, meanwhile, was written using Qt, which most probably means the author didn’t want to go into the details of WinAPI, and preferred to transfer the *nix code “as is”. This fact, along with the same C&C being used by both programs, strongly suggests that CowerSnail was created by the same group that created SambaCry. After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future.