CowerSnail is a Windows Backdoor which was recently uncovered by researchers at Kaspersky Lab. The security analysts have found a connection between this vulnerability and the recently discovered SHELLBIND SambaCry Linux malware.
SHELLBIND exploits the Samba vulnerability (a.k.a. SambaCry and EternalRed). The infection pattern sees the virus upload a shared library to a writable share and then prompt the server to load the library. The purpose is to allow a remote attacker to execute an arbitrary code on the targeted system. SHELLBIND targets most network-attached storage (NAS) appliances.
The connection between Backdoor.Win32.CowerSnail and SHELLBIND is that they share a common command and control (C&C) server named cl.ezreal.space:20480.
“We recently reported about SambaCry, a new family of Linux Trojans exploiting a vulnerability in the Samba protocol. A week later, Kaspersky Lab analysts managed to detect a malicious program for Windows that was apparently created by the same group responsible for SambaCry,” commented Kaspersky Labs. “It was the common C&C server that both programs used – cl.ezreal.space:20480 – that suggested a relationship between them.”
CowerSnail has been created using Qt, a cross-platform development framework. This framework allows the rapid migration of the malicious code from a Unix platform to a Windows environment.
SambaCry was created for *nix-based systems, while CowerSnail was written in Qt to simplify the coding process. The developer of the backdoor decided to spare himself the details of WinAPI and simply migrated the *nix code. The downside of this decision is that the Qt framework makes the resulting file significantly larger in size.
“This framework provides benefits such as cross-platform capability and transferability of the source code between different operating systems. This, however, has an effect on the resulting file size: the user code ends up as a small proportion of a large 3 MB file,” explained Kaspersky experts.
The infection pattern of CowerSnail begins with escalating the process priority and the priority of the current threat. The virus then starts communicating with its C&C server through the IRC protocol.
CowerSnail possesses classic backdoor features. It has the ability to collect certain information about the infected system, including the OS type, the OS nameHost name, information about the network interfaces, ABI Core processor architecture information about physical memory, and Timestamp. The virus can execute commands, uninstall or uninstall itself as a service, and receive updates.
The Kaspersky Lab experts believe that the two infections have been developed by the same entity. In conclusion, they made the prognosis that the developer group behind SHELLBIND and CowerSnail will create more malware.
“After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future.”