July 27, 2017 By Mark Samuels 2 min read

A new backdoor Trojan called CowerSnail has been revealed by researchers. The malware targets Windows systems and is believed to have been generated by the same group who recently exploited the SambaCry vulnerability to send cryptocurrency miners to Linux servers, according to Kaspersky Lab’s blog Securelist. The new threat gives attackers a range of backdoor features, including the capacity to perform batch commands on infected host computers.

How Was the Trojan Created?

Kaspersky believed that the underlying mechanism for CowerSnail is similar to that of existing malware. The firm’s researchers discovered that the new exploit uses the same command-and-control (C&C) server as the group that sent the EternalRed cryptocurrency miner to Linux servers, SecurityWeek reported.

These Linux servers were exposed to the SambaCry vulnerability, and attackers exploited this flaw to upload a shared library to a host system. This process allowed cybercriminals to run arbitrary code against a system and install an open source program to mine cryptocurrencies such as bitcoin and Monero, Forbes explained.

The development techniques behind CowerSnail provide another hint to the malware’s origins. The Trojan was created through a framework called Qt, which supports cross-platform development and gives writers the opportunity to transfer source code between operating systems. Kaspersky suggested that the malware writers probably wanted to avoid learning the Windows API and instead chose to transfer existing code.

How CowerSnail Works

The malicious program prioritizes its processes on an infected system and communicates with its C&C server through the Internet Relay Chat (IRC) protocol. The malware collects system information, sends this data back to the C&C domain, exchanges pings with the server and waits for further commands from attackers.

It is worth nothing that, despite its similarities with previous malware, CowerSnail does not download cryptocurrency mining software by default. Kaspersky reported that it instead provides a standard set of backdoor functions, including the ability to receive updates, execute any command and collect system information.

Bleeping Computer stated that CowerSnail contains only basic functionality at the moment. However, IT and security managers should take note of the threat and be wary of future escalations.

The Response

Kaspersky researcher Sergey Yunakovsky warned in his Securelist blog post that the people behind the threat are likely to strike again. “After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future,” he wrote.

Experts were not sure how CowerSnail is distributed. One possibility is that the malware authors rely on infection via user interaction, such as opening malicious email attachments, according to the Forbes article.

While the researchers were unsure of the scale of the threat posed by the new malware, it nevertheless represents another potential backdoor into enterprise platforms — and another reminder of the importance of strong security practices. IT managers who want to maintain enterprise integrity on Microsoft operating systems should prioritize the installation of the latest Windows security updates.

More from

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today