CowerSnail Linux Virus Connected to SambaCry CVE-2017-7494

Security researchers detected the CowerSnail Linux virus in an ongoing investigation into large-scale hacker attacks. According to the analysis the criminals behind the malware are also responsible for the SambaCry Trojans that exploit the CVE-2017-7494 vulnerability.

What Is The CowerSnail Linux Virus

The CowerSnail malware was detected in an ongoing attack campaign directed by a hacker group. It is specifically made to target the open-source operating system as it is compiled using the QT toolkit – one of the most widely used development frameworks compatible with the Linux ecosystem. One of the key advantage is that once made the CowerSnail Linux virus can be ported to other operating systems as well: Mac OS X, Microsoft Windows and several embedded platforms (Integrity, QNX and VxWorks) for example. The current versions are linked with several libraries that are used by the Linux system components, if they are changed to a cross-platform iteration then the port would be easy to program. This does come with a price reflected on the file size. As all components are built into the virus executable the resulting size is about 3 MB. This makes it significantly hard to effectively distribute it via some of the popular spread tactics.

The security analysis reveals that the captured CowerSnail Linux virus samples demonstrate the following infection pattern:

1. When the CowerSnail Linux virus is run the software automatically attempts to elevate the priority of the running thread and the app itself.
2. Afterwards an API called StartServiceCtrlDispatcher which establishes connection with remote hacker-operated C&C (command and control) servers. This effectively turns the CowerSnail Linux virus into a dangerous Trojan as the network communications are established in the early phase of infection.
3. If this fails CowerSnail can also accept predefined actions and accept variables as user input. Effectively CowerSnail can be installed as a secondary payload and be configured by another malware.
4. The infected hosts are reported to the C&C servers via the IRC protocol which is one of the most popular protocols for chatting with users. IRC bots and automated software are among the easiest types of hacker-controlled infrastructure available on the hacker underground markets.

CowerSnail Linux Virus Capabilities

One of the important features associated with the CowerSnail Linux malware is the fact that it can be deployed as part of a larger-scale attack that involves several viruses. A possible scenario would be to use another virus threat to make the initial infection and utilize the Trojan for conducting spying and remote control actions. The primary threat can retrieve the C&C servers and associated commands which can be fed to CowerSnail.

The security experts discovered that once the virus infections have taken place a system-wide hardware components scan is performed and the resulting data is sent to the criminals. The collected data can be used for statistics or to discover other vulnerabilities in the compromised devices. The captured CowerSnail Linux virus samples were found to provide an extensive list of features:

• Automatic updates – The CowerSnail Linux virus code allows the files to auto update themselves when a new version is issued by the developers.
• Arbitrary Command Execution – An active CowerSnail infection allows the remote operators to execute commands of their choice.
• Service Installation – The malware can be deployed as a system service which severely impacts the ability to control them. The services are usually run at system boot and can be modified using root privileges which some Linux users may not be able to acquire. This infection method is very similar to the dangerous rootkits. Advanced versions of the CowerSnail Linux virus may even infiltrate the Kernel by adding new modules to it. The criminals can also instruct the malicious instance to remove itself from the infected hosts.
• Detailed Information Harvesting – If instructed the CowerSnail Linux virus can also extract additional information about the machines. The malware has been found to be able to collect the following data: timestamp of installation, detailed operating system name and version, computer (host) name, details about all available network devices, the Application binary interface (ABI) and the processor and memory information.

CowerSnail Linux Virus and the SambaCry Trojan (CVE-2017-7494) Connection

The CowerSnail Linux virus operators have been found to use the same C&C servers as the SambaCry Trojan. In addition it appears that some of the code base is sourced from the malware. This is a Trojan that infects machines vulnerable to the so-called EternalRed or SambaCry exploit(CVE-2017-7494). The advisory reads the following:

All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

This is a major weakness in the Samba software implementation of the SMB protocol that is used in both Linux distributions and other related systems like Mac OS X. The vulnerability affected versions that date back 2010 and it has only recently been patched after the security experts uncovered the bug. The SambaCry Trojan runs a predefined command with super-user (root) privileges that initiates the infection process:

1. Reverse Shell Startup – The security analysis shows that the first stage is the execution of a reverse shell that connects to predefined remote sever. This gives the attackers the ability to remote control the infected hosts at any given moment.
2. Malware Infiltration – The SambaCry Linux Trojan has been used by computer hackers to infiltrate machines worldwide and spread additional viruses and threats.
3. Crypto Currency Mining – A large part of the infected hosts have been reported to include a Monero crypto currency miner. It is downloaded from a remote host and started on the host computer. It uses the system resources to mine crypto currency which is transferred to the digital wallet of the hackers.

Mining digital currency has become a recent trend among hackers as a large network of infected machines can generate a generous income. The security engineers uncovered that a popular Monero “miner” tool has been modified in the payload – it automatically executes itself using hardcoded parameters if none are given to it. This is similar to the Adylkuzz virus attack.

Watch out for further CowerSnail Linux Virus Updates

As it turns out the CowerSnail Linux virus is a modified release of a previous threat. We assume that the hacker collective behind it is going to release new malware in the future as well, as they have a track record of producing dangerous viruses.

Linux users should be careful when using their systems as the majority of infections are caused by vulnerable software. Constantly update your computers and rely on the best security tactics – common sense. Do not download or run scripts or software from untrustworthy sources and keep yourself updated for all the latest threats.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me: