CowerSnail — Windows Backdoor from the Creators of SambaCry Linux MalwareDefensive Cyber Security

Begin Learning Cyber Security for FREE Now!

Already a Member Login Here

Home Forums Cyber Security Defensive Cyber Security CowerSnail — Windows Backdoor from the Creators of SambaCry Linux Malware

This topic contains 1 reply, has 2 voices, and was last updated by  s3crafcp 2 years, 11 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
  • #97150

    MD Khurshid Alam

    CowerSnail — Windows Backdoor from the Creators of SambaCry Linux Malware
    Thursday, July 27, 2017
    873 391 0 1330
    Last month, we reported about a group of hackers exploiting SambaCry—a 7-year-old critical remote code execution vulnerability in Samba networking software—to hack Linux computers and install malware to mine cryptocurrencies.
    The same group of hackers is now targeting Windows machines with a new backdoor, which is a QT-based re-compiled version of the same malware used to target Linux.
    Dubbed CowerSnail, detected by security researchers at Kaspersky Labs as Backdoor.Win32.CowerSnail, is a fully-featured windows backdoor that allows its creators to remotely execute any commands on the infected systems.
    Wondering how these two separate campaigns are connected?
    Interestingly, the CowerSnail backdoor uses the same command and control (C&C) server as the malware that was used to infect Linux machines to mine cryptocurrency last month by exploiting the then-recently exposed SambaCry vulnerability.
    Common C&C Server Location —
    SambaCry vulnerability (CVE-2017-7494), named due to its similarities to the Windows SMB flaw exploited by the WannaCry ransomware that recently wreaked havoc worldwide, affected all Samba versions newer than Samba 3.5.0 released over the past seven years.
    Shortly after the public revelation of its existence, SambaCry was exploited by this group of hackers to remotely install cryptocurrency mining software—”CPUminer” that mines cryptocurrencies like Bitcoin, Litecoin, Monero and others—on Linux systems.
    But now, the same hackers are targeting both, Windows and Linux computers, with CPUminer by utilising computing resources of the compromised systems in order to make the profit.
    “After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future,” Sergey Yunakovsky of Kaspersky Lab said in a blog post.
    In separate research, security researcher Omri Ben Bassat‏ reported about more copycat groups of hackers who are exploiting the same SambaCry vulnerability for cryptocurrency mining and installing “Tsunami backdoor,” an IRC-based DDoS botnet malware that’s been known for infecting Mac OS X and IoT devices in the past.
    For those unaware: Samba is open-source software (re-implementation of SMB/CIFS networking protocol) that offers Linux/Unix servers with Windows-based file and print services and runs on the majority of operating systems and IoT devices.
    Despite being patched in late May, the SambaCry bug is actively being exploited by hackers. Just last week, researchers spotted a new piece of malware, called SHELLBIND, exploiting the flaw to backdoor Network Attached Storage (NAS) devices.



    Thanks for sharing!

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?