New CowerSnail Windows Backdoor linked to SHELLBIND SambaCry Linux Malware

Malware researchers at Kaspersky Lab have found a new Windows Backdoor dubbed CowerSnail linked to the recently discovered SHELLBIND SambaCry Linux malware.

Security experts at Kaspersky Lab have spotted a new Windows Backdoor dubbed CowerSnail linked to the recently discovered SHELLBIND SambaCry Linux malware.

SHELLBIND has infected most network-attached storage (NAS) appliances, it exploits the Samba vulnerability (also known as SambaCry and EternalRed) to upload a shared library to a writable share, and then cause the server to load that library.

This trick allows a remote attacker to execute arbitrary code on the targeted system.

SHELLBIND and the Backdoor.Win32.CowerSnail shares the command and control (C&C) server (cl.ezreal.space:20480).

“We recently reported about SambaCry, a new family of Linux Trojans exploiting a vulnerability in the Samba protocol. A week later, Kaspersky Lab analysts managed to detect a malicious program for Windows that was apparently created by the same group responsible for SambaCry.” states Kaspersky.  “It was the common C&C server that both programs used – cl.ezreal.space:20480 – that suggested a relationship between them.”

The CowerSnail backdoor was developed using the cross-platform development framework Qt, a design choice to allow rapid migration of the malicious code developed for Unix platform to a Windows environment.

SambaCry was designed for *nix-based systems, meanwhile, CowerSnail was written using Qt because the author didn’t want to go into the details of WinAPI and migrated the code the *nix code “as is”.

On the other hand, while it does make it easier to transfer code between platforms, Qt significantly increases the size of the resulting file.

The drawback in using Qt is the increasing of the size of the resulting file.

“This framework provides benefits such as cross-platform capability and transferability of the source code between different operating systems. This, however, has an effect on the resulting file size: the user code ends up as a small proportion of a large 3 MB file.” continues Kaspersky.

CowerSnail first escalates the process priority and the current thread’s priority, then it starts communicating with its Command & Control server through the IRC protocol.

CowerSnail implements classic backdoor features, it can collect information about the infected system (Timestamp, Installed OS type (e.g. Windows), OS nameHost name, Information about network interfaces, ABI Core processor architecture
Information about physical memory), it can execute commands, install or uninstall itself as a service, and receive updates.

The experts believe that the same threat actor has developed the two Trojans, each designed for a specific purpose.

“After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future,” concluded Kaspersky Lab.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  (CowerSnail Windows Backdoor, SambaCry)

[adrotate banner=”13″]