CowerSnail Backdoor Targeting Windows Devices

Kaspersky Lab has identified the presence of a backdoor designed primarily for attacking Windows systems. When the backdoor successfully infects the system the malware automatically enhances its process priorities and creates a connection to the C&C server using the IRC protocol. After collecting system information, it sends it to the C&C domain and exchanges pings with the server. Then, the malware waits for further commands from its distributors.

Security expert Sergey Yunakovsky at Kaspersky Labs said, the malware creates “two separate Trojans” each of which is designed to attack a particular platform, and both have their own set of peculiarities. Therefore, claims Yunakovsky, “it is highly probable that this group will produce more malware in the future.”

According to their analysis, this particular backdoor has been designed by the same cyber criminals who previously exploited Samba vulnerability called SambaCry or EternalRed to target Linux systems with a cryptocurrency miner. It is suspected so because the backdoor dubbed by Kaspersky Labs as Backdoor.Win32.CowerSnail is being controlled by the same C&C (command-and-control) server, i-e,, which delivered the Linux malware.

Furthermore, Yunakovsky writes that “Unlike SambaCry, CowerSnail does not download cryptocurrency mining software by default, but instead provides a standard set of backdoor functions:

  • Receive update (local update)
  • Execute any command (BatchCommand)
  • Install CowerSnail as a service, using the Service Control Manager command line interface (Install)
  • Uninstall CowerSnail from service list (Uninstall)
  • Collect system information:
    • Timestamp
    • Installed OS type (e.g. Windows)
    • OS name
    • Host name
    • Information about network interfaces
    • ABI
    • Core processor architecture
    • Information about physical memory”

Experts believe that cyber criminals used Qt for developing the cross-platform development framework CowerSnail, which collects information about the infected device/machine, carries out commands, receives updates and installs/uninstalls itself as a service.

Perhaps the authors have leveraged it to get UNIX code directly transferred without using Windows API. Apart from avoiding the use of APIs and having the code transferred across platforms, Qt also considerably enlarges the size of the resulting file.

For your information, the SambaCry vulnerability was exploited to link the malware on Linux system with the attacker; CVE-2017-7494 can be exploited to enable a server to upload a shared library to a writable share so that remote attacker could execute arbitrary code on the infected system. The products affected by this security vulnerability included NAS appliances or network-attached storage devices and routers.

Related Posts