Safety specialists at Kaspersky Lab have noticed a brand new Home windows Backdoor dubbed CowerSnail linked to the lately found SHELLBIND SambaCry Linux malware.
SHELLBIND has contaminated most network-attached storage (NAS) home equipment, it exploits the Samba vulnerability (often known as SambaCry and EternalRed) to add a shared library to a writable share, after which trigger the server to load that library.
This trick permits a distant attacker to execute arbitrary code on the focused system.
SHELLBIND and the Backdoor.Win32.CowerSnail shares the command and management (C&C) server (cl.ezreal.house:20480).
“We lately reported about SambaCry, a brand new household of Linux Trojans exploiting a vulnerability within the Samba protocol. Every week later, Kaspersky Lab analysts managed to detect a trojan horse for Home windows that was apparently created by the identical group liable for SambaCry.” states Kaspersky. “It was the widespread C&C server that each packages used – cl.ezreal.house:20480 – that instructed a relationship between them.”
The CowerSnail backdoor was developed utilizing the cross-platform improvement framework Qt, a design selection to permit speedy migration of the malicious code developed for Unix platform to a Home windows setting.
SambaCry was designed for *nix-based programs, in the meantime, CowerSnail was written utilizing Qt as a result of the writer didn’t need to go into the small print of WinAPI and migrated the code the *nix code “as is”.
Alternatively, whereas it does make it simpler to switch code between platforms, Qt considerably will increase the dimensions of the ensuing file.
The downside in utilizing Qt is the growing of the dimensions of the ensuing file.
“This framework offers advantages equivalent to cross-platform functionality and transferability of the supply code between totally different working programs. This, nonetheless, has an impact on the ensuing file measurement: the consumer code finally ends up as a small proportion of a giant three MB file.” continues Kaspersky.
CowerSnail first escalates the method precedence and the present thread’s precedence, then it begins speaking with its Command & Management server by way of the IRC protocol.
CowerSnail implements basic backdoor options, it will possibly accumulate details about the contaminated system (Timestamp, Put in OS sort (e.g. Home windows), OS nameHost title, Details about community interfaces, ABI Core processor structure
Details about bodily reminiscence), it will possibly execute instructions, set up or uninstall itself as a service, and obtain updates.
The specialists imagine that the identical menace actor has developed the 2 Trojans, every designed for a selected goal.
“After creating two separate Trojans, every designed for a selected platform and every with its personal peculiarities, it’s extremely possible that this group will produce extra malware sooner or later,” concluded Kaspersky Lab.