Last month, a group of hackers who exploited SambaCry, a 7-year vulnerability in remote code execution in Samba network software to hack into Linux and install encryption malware- CowerSnail, was reported.
The same group of hackers now run Windows machines with a new backdoor, which is a re-compiled version based on the same malicious QT software used to target Linux.
Submitted to CowerSnail, detected by Kaspersky Labs security researchers as Backdoor.Win32.CowerSnail is a fully functional backdoor that allows its creators to remotely execute all commands on infected systems.
Think about how you are connected to these two separate campaigns?
Curiously, the CowerSnail backdoor uses the same command and control server (C & C) as the malware used to infect machines running Linux for last month’s encryption by exploiting the vulnerability of SambaCry, which has recently been exposed.
Common position of C & C server – cl.ezreal.space.20480
The SambaCry vulnerability (CVE-2.017-7494), named after its similarities to the Windows SMB defect exploited by the ransomware WannaCry that recently wreaked havoc around the world, hit all the latest versions of Samba Samba 3.5.0 released in The last seven years.
Shortly after the public disclosure of its existence, SambaCry was exploited by this group of hackers to install software remotely for the cipher mine, “CPUminer” that undermines crypto value such as Bitcoin, litecoin, Moneo, and others – on Linux systems.
But now the same hackers are focusing on the two Windows and Linux computers using CPUminer systems compromised computer resources to get the benefit.
“After the creation of two separate Trojans, each designed for a specific platform, and each with its own peculiarities, it is very likely that this group will produce more malware in the future,” said Sergey Yunakovsky Kaspersky Lab in a blog.
In another investigation, security researcher Omri Ben Bassat reported that several groups of hackers using the same SambaCry vulnerabilities for encryption extraction and the back door of the installed tsunami, DDoS malware botnets based on the IRC, Known for Mac OS X and IO infection in the past.
For those who ignore it: Samba is an open source software (re-implementation of the SMB / CIFS network protocol) that provides Linux / Unix servers with print file services, and Windows-based and runs on most systems Operational and IO devices.
Despite the pitching in late May, the SambaCry bug is actively exploited by hackers. Just last week, researchers uncovered a new piece of malware, called SHELLBIND, exploiting the failure for NAS (Network Attached Storage) back.