A new backdoor Trojan called CowerSnail has been revealed by researchers. The malware targets Windows systems and is believed to have been generated by the same group who recently exploited the SambaCry vulnerability to send cryptocurrency miners to Linux servers, according to Kaspersky Lab’s blog Securelist. The new threat gives attackers a range of backdoor features, including the capacity to perform batch commands on infected host computers.
How Was the Trojan Created?
Kaspersky believed that the underlying mechanism for CowerSnail is similar to that of existing malware. The firm’s researchers discovered that the new exploit uses the same command-and-control (C&C) server as the group that sent the EternalRed cryptocurrency miner to Linux servers, SecurityWeek reported.
These Linux servers were exposed to the SambaCry vulnerability, and attackers exploited this flaw to upload a shared library to a host system. This process allowed cybercriminals to run arbitrary code against a system and install an open source program to mine cryptocurrencies such as bitcoin and Monero, Forbes explained.
The development techniques behind CowerSnail provide another hint to the malware’s origins. The Trojan was created through a framework called Qt, which supports cross-platform development and gives writers the opportunity to transfer source code between operating systems. Kaspersky suggested that the malware writers probably wanted to avoid learning the Windows API and instead chose to transfer existing code.
How CowerSnail Works
The malicious program prioritizes its processes on an infected system and communicates with its C&C server through the Internet Relay Chat (IRC) protocol. The malware collects system information, sends this data back to the C&C domain, exchanges pings with the server and waits for further commands from attackers.
It is worth nothing that, despite its similarities with previous malware, CowerSnail does not download cryptocurrency mining software by default. Kaspersky reported that it instead provides a standard set of backdoor functions, including the ability to receive updates, execute any command and collect system information.
Bleeping Computer stated that CowerSnail contains only basic functionality at the moment. However, IT and security managers should take note of the threat and be wary of future escalations.
The Response
Kaspersky researcher Sergey Yunakovsky warned in his Securelist blog post that the people behind the threat are likely to strike again. “After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future,” he wrote.
Experts were not sure how CowerSnail is distributed. One possibility is that the malware authors rely on infection via user interaction, such as opening malicious email attachments, according to the Forbes article.
While the researchers were unsure of the scale of the threat posed by the new malware, it nevertheless represents another potential backdoor into enterprise platforms — and another reminder of the importance of strong security practices. IT managers who want to maintain enterprise integrity on Microsoft operating systems should prioritize the installation of the latest Windows security updates.