Windows users are all too familiar with the concept of backdoor Trojans, malware, and ransomware. CowerSnail is a new type of backdoor Trojan which seems to share a lot of vulnerabilities with a previous type of ransomware designed to install cryptocurrency miners on Linux servers. This malware is coded in the Qt language, hinting at cross-OS compatibility. That is not the only aspect of CowerSnail making it unique.
CowerSnail Backdoor Trojan Is Not Weaponized Yet
One thing to take into account with malicious software is how it often falls into one of two categories. First, there are the active threats looking to deliver a payload and open the floodgates to hackers taking advantage of infected devices. CowerSnail falls into a different category, as it is not a weaponized backdoor Trojan at this stage. That does not mean it will not pose a massive threat to Windows users around the world, however.
Security researchers have already noticed some intriguing traits of this new Windows malware. First of all, it is written in the Qt coding language, which is incredibly rare. There have been instances of Qt malware before, but none of those projects amounted to much in the end. Secondly, it appears the developers of CowerSnail are the same people responsible for a recent ransomware strain which infected Linux servers with cryptocurrency mining software. For now, it serves the sole purpose of providing backdoor access to infected Windows hosts.
CowerSnail has one primary function, which is to execute batch commands on infected Windows devices. These commands are communicated over a connection with a centralized command & control service. If this server is shut down, the backdoor Trojan will become far less potent. However, without an exact location or IP address, there is nothing to take down anytime soon. Assuming this malware become successful, identifying the server will become somewhat easier.
The use of Qt as a coding language hints at cross-operating system compatibility. That would also explain why this backdoor Trojan shares so many similarities with the EternalRed malware which made the rounds about a month ago. Most of the code is seemingly ported from that malware, rather than embodying a different coding language altogether. It is certainly possible we will be seeing more types of Qt malware in the future. Having the option to create one nefarious tool capable of attacking multiple operating systems is potentially alluring to hackers.
Other features presented by CowerSnail provide plenty of additional reason for concern. It is possible for hackers to install the malware as a service, or even uninstall it from the service list. Additionally, the backdoor Trojan is mainly designed to collect information, although it seemingly does not use keyloggers or screen grab tools to do so. Once again, this constitutes a non-weaponized version of what this backdoor Trojan may be capable of in a few weeks’ or months’ time.
Security researchers are understandably quite concerned about this “criminal group” and its next objective. After targeting Linux and now Windows computers, it is impossible to tell what the future holds. This is likely not the last time we will hear about CowerSnail either, as it has a lot of potential to cause significant harm in the future. It will not install cryptocurrency mining software on your computer for now, but that could change very soon.
