Source

CowerSnail — Windows Backdoor from the Creators of SambaCry Linux Malware

Last month, we reported about a group of hackers exploiting SambaCry—a 7-year-old critical remote code execution vulnerability in Samba networking software—to hack Linux computers and install malware to mine cryptocurrencies.

The same group of hackers is now targeting Windows machines with a new backdoor, which is a QT-based re-compiled version of the same malware used to target Linux.

Dubbed CowerSnail, detected by security researchers at Kaspersky Labs as Backdoor.Win32.CowerSnail, is a fully-featured windows backdoor that allows its creators to remotely execute any commands on the infected systems.

Wondering how these two separate campaigns are connected?

Interestingly, the CowerSnail backdoor uses the same command and control (C&C) server as the malware that was used to infect Linux machines to mine cryptocurrency last month by exploiting the then-recently exposed SambaCry vulnerability.

Common C&C Server Location — cl.ezreal.space:20480

SambaCry vulnerability (CVE-2017-7494), named due to its similarities to the Windows SMB flaw exploited by the WannaCry ransomware that recently wreaked havoc worldwide, affected all Samba versions newer than Samba 3.5.0 released over the past seven years.

Shortly after the public revelation of its existence, SambaCry was exploited by this group of hackers to remotely install cryptocurrency mining software—"CPUminer" that mines cryptocurrencies like Bitcoin, Litecoin, Monero and others—on Linux systems.

But now, the same hackers are targeting both, Windows and Linux computers, with CPUminer by utilising computing resources of the compromised systems in order to make the profit.

"After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future," Sergey Yunakovsky of Kaspersky Lab said in a blog post.

In separate research, security researcher Omri Ben Bassat‏ reported about more copycat groups of hackers who are exploiting the same SambaCry vulnerability for cryptocurrency mining and installing "**Tsunami backdoor**," an IRC-based DDoS botnet malware that's been known for infecting Mac OS X and IoT devices in the past.

For those unaware: Samba is open-source software (re-implementation of SMB/CIFS networking protocol) that offers Linux/Unix servers with Windows-based file and print services and runs on the majority of operating systems and IoT devices.

Despite being patched in late May, the SambaCry bug is actively being exploited by hackers. Just last week, researchers spotted a new piece of malware, called **SHELLBIND**, exploiting the flaw to backdoor Network Attached Storage (NAS) devices.