Pierluigi Paganini January 21, 2021

QNAP is warning customers of a new piece of malware dubbed Dovecat that is targeting NAS devices to mine cryptocurrency.

Taiwanese vendor QNAP has published a security advisory to warn customers of a new piece of malware named Dovecat that is targeting NAS devices. The malware was designed to abuse NAS resources and mine cryptocurrency.

The malware targets QNAP NAS devices exposed online that use weak passwords.

“QNAP Systems, Inc. (QNAP), a leading computing, networking and storage solution innovator, today issued a statement in response to recent user reports that a new type of malware named dovecat is targeting QNAP NAS and installing bitcoin miners without user consent.” reads the security advisory published by the vendor.

“According to analysis, QNAP NAS can become infected when they are connected to the Internet with weak user passwords.”

Since the end of 2020, several users reported infections ([1], [2]) to their devices, they noticed the presence of the “dedpma” and “dovecat” processes that were causing a high processor load and saturating the RAM of the NAS.

In November, the vendor published a post warning its customers that NAS devices with dovecat and dedpma running processes were infected by Bitcoin cryptocurrency miner.

“If such processes are running on recent FW (4.4.x), it means the system has been compromised and is running a Bitcoin miner.” states the post published by QNAP.

“In the meantime, please update the NAS firmware and Malware Remover in the App Center to the latest version if not done already to ensure the latest security patches are applied on the NAS.”

According to the experts, the same Bitcoin malware also infected Synology NAS devices.

QNAP recommends users to take the following measures to prevent these infections:

• Update QTS to the latest version.
• Install the latest version of Malware Remover.
• Install Security Counselor and run with Intermediate Security Policy (or above).
• Install a firewall.
• Enable Network Access Protection to protect accounts from brute force attacks.
• Use stronger admin passwords.
• Use stronger passwords for database administrators.
• Disable SSH and Telnet services if not in use.
• Disable unused services and apps.
• Avoid using default port numbers (80, 443, 8080, and 8081).

In December, QNAP released security updates to fix eight vulnerabilities that could be exploited by attackers to over unpatched NAS devices.

The list of vulnerabilities addressed by QNAP is available here, it includes XSS and command injection issues. The flaws fixed by the vendor are rated as medium and high severity security.

In September, while the AgeLocker ransomware was continuing to target QNAP NAS systems, the Taiwanese vendor urged customers to update the firmware and apps.

In early August, the Taiwanese company urged its users to update the Malware Remover app to prevent NAS devices from being infected by the QSnatch malware.

In June the company also warned of eCh0raix ransomware attacks that targeted its NAS devices.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, QNAP)

[adrotate banner=”5″]

[adrotate banner=”13″]