CowerSnail

Security researchers have discovered a new backdoor trojan targeting Windows computers. Named CowerSnail, this malware appears to be the work of the same group who weaponized the SambaCry vulnerability to install cryptocurrency miners on Linux servers last month.

Codewise, CowerSnail is an unusual strain, being coded in Qt, a coding framework for developing cross-OS applications. Qt malware isn't anything new or groundbreaking, but this type of malware is somewhat rare.

According to Kaspersky researcher Sergey Yunakovsky, the CowerSnail malware contains only basic functionality, and at the moment it can be only used as a backdoor to infected hosts.

Its primary feature is the ability to execute batch commands on infected hosts. CowerSnail receives these commands from a command and control (C&C) server.

CowerSnail developed by EternalRed's authors

This C&C server (cl.ezreal.space:20480) is the same one used to deliver the EternalRed cryptocurrency miner to Linux servers running outdated Samba installations, vulnerable to the SambaCry vulnerability.

"SambaCry was designed for *nix-based systems. CowerSnail, meanwhile, was written using Qt, which most probably means the author didn’t want to go into the details of WinAPI, and preferred to transfer the *nix code 'as is'," Yunakovsky explains.

"This fact, along with the same C&C being used by both programs, strongly suggests that CowerSnail was created by the same group that created SambaCry. After creating two separate trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future," the Kaspersky expert suggests.

CowerSnail has other features

Besides its backdoor functionality, Yunakovsky says CowerSnail can also perform the following actions:

  • Receive update (LocalUpdate)
  • Execute any command (BatchCommand)
  • Install CowerSnail as a service, using the Service Control Manager command line interface (Install)
  • Uninstall CowerSnail from service list (Uninstall)
  • Collect system information:
    • Timestamp
    • Installed OS type (e.g. Windows)
    • OS name
    • Host name
    • Information about network interfaces
    • ABI
    • Core processor architecture
    • Information about physical memory

Last but not least, Yunakovsky also saw clues in CowerSnail's C&C server traffic to suggest that its author(s) is working on adding support for the IRC protocol. Malware devs often use the IRC protocol to control infected hosts just by typing a command in an IRC channel. Usually, IRC-based C&C communications are employed for botnets, rather than backdoor trojans.

Image credits: N.K.Narasimhan, Bleeping Computer