Pierluigi Paganini November 04, 2019

Security experts warn of a new piece of malware dubbed QSnatch that already infected thousands of QNAP NAS devices worldwide.

A new piece of malware dubbed QSnatch is infecting thousands of NAS devices manufactured by the Taiwanese vendor QNAP.

The name comes after the target vendor and the “snatching” activity the malware performs.

According to the German Computer Emergency Response Team (CERT-Bund), over 7,000 devices have been infected in Germany alone.

A couple of weeks ago, the experts at the National Cyber Security Centre of Finland (NCSC-FI), published a report on the QSnatch malware. The experts were alerted about the malware in October and immediately launched an investigation.

“NCSC-FI received reports via the Autoreporter service during mid October of infected devices attempting to communicate to specific command and control (C2) servers.” reads the report. “The original infection method remains unknown, but during that phase malicious code is injected to the firmware of the target system, and the code is then run as part of normal operations within the device. After this the device has been compromised. The malware uses domain generation algorithms to retrieve more malicious code from C2 servers.”

At the time the infection vector is still unclear, once the malware access to a vulnerable device the malicious code is injected into the firmware to gain reboot persistence.

The sample analyzed by the expert was able to perform the following actions:

• Modify operating system timed jobs and scripts (cronjob, init scripts
• Prevent device updates by overwriting update sources completely,
• Prevent the execution of the built-in QNAP MalwareRemover App.
• Gather all usernames and passwords related to the device and sent them to the C2 server.
• Load new modules implementing new features from the C2 servers.
• Call-home at specific intervals.

At the time of writing, it is still unclear how threat actor will use the malware (i.e. DDoS attack, cryptocurrency miner, data harvesting).

The modular structure of the malware could allow QSnatch operators to perform a broad range of malicious activities by deploying the necessary modules.

Experts at NCSC-FI suggests to perform a full factory reset of the NAS device to clean the infected devices, another unconfirmed method is to apply an update provided by the vendor. 

Once cleaned the device, experts suggest the following actions:

• Change all passwords for all accounts on the device
  Remove unknown user accounts from the device
  Make sure the device firmware is up-to-date and all of the applications are also updated
  Remove unknown or unused applications from the device
  Install QNAP MalwareRemover application via the App Center functionality
  Set an access control list for the device (Control panel -> Security -> Security level).

In the past months, other malware targeted NAS devices, in July researchers at two security firms Intezer and Anomali discovered a new piece of ransomware targeting QNAP NAS devices. The ransomware, tracked by Intezer as “QNAPCrypt” and “eCh0raix” by Anomali, is written in the Go programming language and uses AES encryption to encrypt files. 

In February, users of the QNAP NAS devices reported a mystery string of malware attacks that disabled software updates by hijacking entries in host machines’ hosts file.

In September, a piece of ransomware tracked as Muhstik was spotted while targeting QNAP network-attacked storage (NAS) devices.

One of the first attacks against QNAP is dated back 2014, at the time security experts at Sans Institute discovered a worm that exploits the popular Shellshock flaw to compromise QNAP systems in the wild.

Pierluigi Paganini

(SecurityAffairs – QNAP, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]