Last month, we reported about a group of hackers exploiting SambaCry—a 7-year-old critical remote code execution vulnerability in Samba networking software—to hack Linux computers and install malware to mine cryptocurrencies.
The same group of hackers is now targeting Windows machines with a new backdoor, which is a QT-based re-compiled version of the same malware used to target Linux.
Dubbed CowerSnail, detected by security researchers at Kaspersky Labs as Backdoor.Win32.CowerSnail, is a fully-featured windows backdoor that allows its creators to remotely execute any commands on the infected systems.
Wondering how these two separate campaigns are connected?
Interestingly, the CowerSnail backdoor uses the same command and control (C&C) server as the malware that was used to infect Linux machines to mine cryptocurrency last month by exploiting the then-recently exposed SambaCry vulnerability.
Common C&C Server Location — cl.ezreal.space:20480
SambaCry vulnerability (CVE-2017-7494), named due to its similarities to the Windows SMB flaw exploited by the WannaCry ransomware that recently wreaked havoc worldwide, affected all Samba versions newer than Samba 3.5.0 released over the past seven years.
Shortly after the public revelation of its existence, SambaCry was exploited by this group of hackers to remotely install cryptocurrency mining software—”CPUminer” that mines cryptocurrencies like Bitcoin, Litecoin, Monero and others—on Linux systems.
Source: The Hacker News