Privacy News Newly Discovered CowerSnail Backdoor Targets Windows Computers

[LASER_oneXM]

Security researchers have discovered a new backdoor trojan targeting Windows computers. Named CowelSnail, this malware appears to be the work of the same group who weaponized the SambaCry vulnerability to install cryptocurrency miners on Linux servers last month.

Codewise, CowerSnail is an unusual strain, being coded in Qt, a coding framework for developing cross-OS applications. Qt malware isn't anything new or groundbreaking, but this type of malware is somewhat rare.

According to Kaspersky researcher Sergey Yunakovsky, the CowerSnail malware contains only basic functionality, and at the moment it can be only used as a backdoor to infected hosts.

Its primary feature is the ability to execute batch commands on infected hosts. CowerSnail receives these commands from a command and control (C&C) server.

CowerSnail developed by EternalRed's authors
This C&C server (cl.ezreal.space:20480) is the same one used to deliver the EternalRed cryptocurrency miner to Linux servers running outdated Samba installations, vulnerable to the SambaCry vulnerability.

"SambaCry was designed for *nix-based systems. CowerSnail, meanwhile, was written using Qt, which most probably means the author didn’t want to go into the details of WinAPI, and preferred to transfer the *nix code 'as is'," Yunakovsky explains.

"This fact, along with the same C&C being used by both programs, strongly suggests that CowerSnail was created by the same group that created SambaCry. After creating two separate trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future," the Kaspersky expert suggests.