CowerSnail – a three-megabyte backdoor

London, UK – July 27, 2017 – At the end of May, researchers from Kaspersky Lab discovered a SambaCry cryptocurrency miner for *nix systems, which exploited the EternalRed vulnerability. Soon they captured malware for Windows that was probably created by the same group (since both malware types used the same C2 server). They named it CoverSnail. Its size – 3Mb – does not mean the availability of wide range of tools but is a consequence of the fact that this malware was compiled using Qt. Thus, it received cross-platform capability and large file size from built-in libraries. The tools available in its arsenal are standard for backdoors – CowerSnail can receive updates, collect system information and execute commands. Communication with C2 server occurs via the IRC protocol, the backdoor registers the infected host and then starts exchanging pings with the server waiting for further commands.

The appearance of two Trojans in a short period for different platforms and with different functionality from one hacker group suggests that they will produce other malware shortly. To secure against such attacks, it is necessary to install updates promptly and investigate suspicious connections and activities. In the S.M.A. cloud, you will find use cases for your SIEM that will help detect infected hosts using behavioral analysis and statistical profiling methods.