'SambaCry' malware scum return with a Windows encore

Malware authors continue to chip away at Samba bugs similar to those that helped spread WannaCry/WannaCrypt.

Kaspersky researchers writing at Securelist say they've spotted a Windows variant of SambaCry, which was first spotted in June. The new variant has been dubbed "CowerSnail".

The researchers strongly suspect CowerSnail comes from SambaCry's developers as it points to the same C&C server.

The authors have designed their malware to be cross-platform, writes Kaspersky's Sergey Yunakovsky: it's compiled using Qt, with a library framework that provides “cross-platform capability and transferability of the source code between different operating systems.”

The only penalty the developers suffer in trying to make the malware cross-platform is that the user code is only “a small proportion of a large 3 MB file”.

Yunakovsky reckons Qt was chosen so the creators could stick with familiar environments, and save themselves the pain of learning the details of Windows APIs, preferring to “transfer the *nix code 'as is'”.

Unlike SambaCry, the CowerSnail authors don't try to turn targets into cryptocurrency miners. Instead, infected machines get in touch with the C&C (over the IRC protocol) and create “standard backdoor functions”.

These include receiving updates, executing shell commands, and self-removal if needed. ®