A new backdoor Trojan called CowerSnail has been revealed by researchers. The malware targets Windows systems and is believed to have been generated by the same group who recently exploited the SambaCry vulnerability to send cryptocurrency miners to Linux servers, according to Kaspersky Lab’s blog Securelist. The new threat gives attackers a range of backdoor features, including the capacity to perform batch commands on infected host computers.

How Was the Trojan Created?

Kaspersky believed that the underlying mechanism for CowerSnail is similar to that of existing malware. The firm’s researchers discovered that the new exploit uses the same command-and-control (C&C) server as the group that sent the EternalRed cryptocurrency miner to Linux servers, SecurityWeek reported.

These Linux servers were exposed to the SambaCry vulnerability, and attackers exploited this flaw to upload a shared library to a host system. This process allowed cybercriminals to run arbitrary code against a system and install an open source program to mine cryptocurrencies such as bitcoin and Monero, Forbes explained.

The development techniques behind CowerSnail provide another hint to the malware’s origins. The Trojan was created through a framework called Qt, which supports cross-platform development and gives writers the opportunity to transfer source code between operating systems. Kaspersky suggested that the malware writers probably wanted to avoid learning the Windows API and instead chose to transfer existing code.

How CowerSnail Works

The malicious program prioritizes its processes on an infected system and communicates with its C&C server through the Internet Relay Chat (IRC) protocol. The malware collects system information, sends this data back to the C&C domain, exchanges pings with the server and waits for further commands from attackers.

It is worth nothing that, despite its similarities with previous malware, CowerSnail does not download cryptocurrency mining software by default. Kaspersky reported that it instead provides a standard set of backdoor functions, including the ability to receive updates, execute any command and collect system information.

Bleeping Computer stated that CowerSnail contains only basic functionality at the moment. However, IT and security managers should take note of the threat and be wary of future escalations.

The Response

Kaspersky researcher Sergey Yunakovsky warned in his Securelist blog post that the people behind the threat are likely to strike again. “After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future,” he wrote.

Experts were not sure how CowerSnail is distributed. One possibility is that the malware authors rely on infection via user interaction, such as opening malicious email attachments, according to the Forbes article.

While the researchers were unsure of the scale of the threat posed by the new malware, it nevertheless represents another potential backdoor into enterprise platforms — and another reminder of the importance of strong security practices. IT managers who want to maintain enterprise integrity on Microsoft operating systems should prioritize the installation of the latest Windows security updates.

More from

Security Awareness Training 101: Which Employees Need It?

4 min read - To understand why you need cybersecurity awareness training, you must first understand employees' outsized roles in security breaches. “People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of…

4 min read

Beyond Requirements: Tapping the Business Potential of Data Governance and Security

3 min read - Doom and gloom. Fear, uncertainty and doubt. The "stick" versus the "carrot". What do these concepts have in common? They have often provided the primary motivation for organizations’ data governance and security strategies. For the enterprise, this mindset has perpetuated the idea that data governance, data security and data privacy are reactive cost centers existing due to externally imposed requirements or mandates. Yet, what if data governance and security practices could upend the prevailing paradigm and demonstrate direct business value?…

3 min read

Protecting Against Remote Monitoring and Management Phishing

3 min read - You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks. The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall,…

3 min read

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read