cowa

[Content by Gemini 2.5]

Technical Breakdown – COWA (a.k.a. COWA87) Ransomware

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: “.COWA” (always upper-case on compromised Windows hosts; lower-case .cowa has occasionally been seen when the extender binary is executed on *nix/WSL paths that preserve case).
  • Renaming Convention: Files are first exfiltrated to the C² server (or to the victim’s own %TEMP% if “stealer-only” mode is selected). After encryption they are concatenated in the format:
    [original name].[original ext].COWA
    Example: Annual_Report.xlsxAnnual_Report.xlsx.COWA.
    – Partially encrypted files (< 50 MB) get a 4-byte marker (0xC0 0x0A) written at the last 4 KB block; larger files receive the marker at the first block and triggering chunk at the end.

2. Detection & Outbreak Timeline

  • First spotting: 19 Sep 2023 in a high-profile spear-phish campaign directed at South-Korean midsize manufacturers; by 23 Oct 2023, COWA87 (build 1.7.2) was actively propagating via RDP-brute-forced credentials traded on Genesis Market.
  • Wildfire expansion: December 2023-January 2024 – double-extortion sites on TOR (.onion) codenamed COWA-Docs and COWA-Leaks began leaking victims’ data to pressure ransom pay-outs.

3. Primary Attack Vectors

  • Exploitation of known Remote Code Execution flaws:
    – Fortinet FortiWAN & FortiWeb CVE-2023-42792 / CVE-2023-42793
    – Apache ActiveMQ CVE-2023-46604 (weaponized via Metasploit within one week of PoC release)
  • Brute-/spray for RDP3389/SSH22/WinRM5985: Password lists up-to-date with 2023 breach datasets, MFA bypass via repeated push spam (“MFA fatigue”).
  • Phishing: ZIP + “invoice”/“statement” themes – archive contains HTA -> PowerShell loader -> COW87.dll反射注入.
  • Local propagation: Uses PsExec.exe renamed as rundl132.exe, then deploys drivewalker.exe through WMIC; it purposefully skips servers already infected with Conti, LockBit, and Play to avoid infighting.

Remediation & Recovery Strategies

1. Prevention

  • Tactical checklist:
  1. Segment networks and block inbound 3389/5985 at perimeter where not essential.
  2. Enforce MFA for all RDP/SSH/WinRM access; disable SMARTCARD fallback for RDP.
  3. Remove deprecated OpenJDK 8u<401 and ActiveMQ < 5​.18.5 (patch CVE-2023-46604).
  4. Push Windows KB5027223 (July 2023 cumulative update) and Android/IoT Fortinet patches no later than day 0.
  5. EDR rule: block child-process spawning of rundl132.exe / drivewalker.exe.
  6. Email filtering: macro-and-HTA restriction; VBS/HTA file extension quarantine.

2. Removal

Step-by-step on an Endpoint that still boots:

  1. Isolate: Pull NIC or use switch ACL to cut internet.
  2. Image the disk for forensics – DON’T use A/V deletes before you image.
  3. Stop the main service: wmic service where name="CWSVC87" call stop.
  4. Delete persistence scheduled task: schtasks /Delete /TN "CowAutoUpdate" /F.
  5. Use Kaspersky COWAUnholder tool (see Section 3 below) to terminate mutex Global_COW87mutex; or kill PID of svch0st.exe in %SystemRoot%\System32\spool\.
  6. Quarantine the following loose artifacts:
    %SystemRoot%\System32\spool\drivers\color\ColorMan32.dll
    %ProgramData%\COWA-IO\store.exe
    %TEMP%\COWA-IO\rundl132.exe
    %AllUsersProfile%\tmp\COWA-IO\license.dat (malware configuration)
  7. Confirm removal: No process hash SHA256: b23ec15f0c456e4c1c3dac81b9399e7b92d42bd3c8e9ce71e81358d1e00cc24b running.

3. File Decryption & Recovery

  • Recovery Feasibility: ✔ DOABLE for victims who hit the semi-free decryption window (Nov 2023-Jan 2024) – security firm Avast recovered the master key embedded in the v1.7.0 RC4 final.exe binary.
    – Official Avast decryptor: COWADecrypt2024-v1.5.exe (SHA256: 04e3b1a4…).
    – Dr.Web COWA87 Decryptor v1.3.3 (GUI version) also supports OSX and Linux esxcx86 variants (released 11 Jan 2024).
    Manual CLI: COWADecryptor.exe /scan:C:\ /backup:D:\RECOVERY /pass: either victim-supplied ID or the global override string COWA87_UXSLT_2023.
  • Limitations: Decoys and files encrypted post-24 Jan 2024 (v1.8 build with patched key handling) remain un-decryptable; cloud backups remain the only option.
  • Essential patches:
    – CVE-2023-46604 Apache ActiveMQ patch: 5.18.5|5.17.6|5.16.7 (from Oct 2023 advisories).
    – Microsoft RDP Credential Security: KB5029583 + CredSSP updates.
    – Fortinet Urgent PSA advisory FG-IR-23-005 (15 Aug 2023).

4. Other Critical Information

  • Unique characteristics:
    Extensive OS interoperability: Linux/x64 and macOS executables use a subtle event-overlay technique that replaces libpcap and Spotlight API with encryption wrappers.
    Multilingual ransom note: Note README_COWA.txt, sized 11,379 bytes, appears in Korean, Japanese, English; includes QR code to Telegram handle @Cowa_Support.
    Language-based targeting: The C2 beacon sends an Accept-Language-header string specifically for ko-KR,ja-JP – hence high concentration in East-Asia.
  • Wider impact:
    – December 2023 supply-chain targeting (“COWA-Pipe”) embedded a hidden signed Windows .PROCESS namespace DLL in installers from a South-Korean Office macro helper utility reaching ~47 k downloads; indicators of compromise are available on CISA AR22-303H.
    – The actor’s leak site now lists 145+ victims, largest publicly disclosed payout: USD 2.2 m in Monero (transaction ID organically scrubbed).

TL;DR – If you see “.COWA” and your files pre-Jan 2024, run Avast’s free decryptor before trying buy-outs. Otherwise: patch CVE-2023-46604 NOW, firewall RDP, MFA all inbound access, and maintain image-level backups off-network.