Thousands of QNAP NAS devices are getting infected with a malware dubbed QSnatch that injects into their firmware and proceeds to steal credentials and load malicious code retrieved from its command and control (C2) servers.

Germany's Computer Emergency Response Team (CERT-Bund) says that, based on sinkhole data, roughly 7,000 NAS devices in Germany are currently affected by QSnatch infections.

The malware strain was spotted by researchers at the National Cyber Security Centre of Finland (NCSC-FI) after receiving reports from the Autoreporter service of infected NAS devices trying to communicate to C2 servers.

While initially, the malware was thought to be a variant of the Caphaw (aka Shylock) banking malware, a more detailed investigation based on the C2 traffic featuring QNAP-related parameters led to the discovery of the new QSnatch malware.

The malware received the QSnatch name based on the devices it targets and the information "snatching" activity detailed below.

It is nice to close a busy week at @CERTFI (NCSC-FI) with a new malware discovery: #Qsnatch targets #QNAP #NAS devices. Here the NCSC-FI #Autoreporter service played a critical part on anomaly discovery - together with our sharp malware specialists. https://t.co/43nyfUKWu3 — Kauto Huopio (@kautoh) October 25, 2019

Infection and malicious activity

While the infection vector is not yet known, the researchers found that QSnatch will get injected into the firmware of QNAP NAS devices during the infection stage, with the malicious code being "run as part of normal operations within the device."

Once it manages to infect the firmware, the device is compromised and the malware will use "domain generation algorithms to retrieve more malicious code from C2 servers" using an HTTP GET request of the following form:

HTTP GET https://[generated-address]/qnap_firmware.xml?=t[timestamp]"

After downloading a payload from the C2 server it will execute it on the infected QNAP NAS device with system rights and will perform a series of malicious actions including but not limited to:

• Operating system timed jobs and scripts are modified (cronjob, init scripts)

• Firmware updates are prevented via overwriting update sources completely

• QNAP MalwareRemover App is prevented from being run

• All usernames and passwords related to the device are retrieved and sent to the C2 server

• The malware has modular capacity to load new features from the C2 servers for further activities

• Call-home activity to the C2 servers is set to run with set intervals

How to clean an infected QNAP NAS device

QNAP NAS devices can be cleaned off after getting infected with the QSnatch malware by doing a full factory reset that will unfortunately also completely erase the data stored on the compromised device.

Applying a security update issued by QNAP during February might also help remove a QSnatch infection, however, as the NCSC-FI researchers explain this is not yet confirmed.

"NCSC-FI has not been able to confirm whether the update actually removes the malware, and this is also acknowledged by the manufacturer," says their report.

Users are also advised to go through the following recommended steps once they remove the QSnatch infection from their devices and to file a ticket with QNAP's support, if needed:

• Change all passwords for all accounts on the device

• Remove unknown user accounts from the device

• Make sure the device firmware is up-to-date and all of the applications are also updated

• Remove unknown or unused applications from the device

• Install QNAP MalwareRemover application via the App Center functionality

• Set an access control list for the device (Control panel -> Security -> Security level)

NCSC-FI also recommends all NAS owners to keep them up to date and protect them from being exposed to connections from the Internet with the help of a firewall to block potential attacks.

Malware targeting QNAP devices

QNAP issued a security advisory about NAS devices with weak SQL server passwords and running phpMyAdmin being attacked by Muhstik Ransomware in early October.

In August, another advisory detailed an eCh0raix Ransomware (also known as QNAPCrypt) campaign targeting QNAP NAS devices with weak passwords and outdated QTS firmware.

Security researcher and ransomware expert BloodDolly released an eCh0raix decryptor for some variants in a BleepingComputer support topic one week earlier.

QNAP also warned customers in May 2018 of ongoing VPNFilter malware attacks attempting to infect QNAP NAS devices using the default password for the administrator account or running QTS 4.2.6 build 20170628, 4.3.3 build 20170703, and earlier versions.

Update November 01, 12:04 EDT: QNAP says in a security advisory released today that an update for the Malware Remover app will be released as soon as possible to address the QSnatch malware threat.

QNAP also recommends taking the following measures to avoid infections:

Update QTS to the latest version. Install and update Security Counselor to the latest version. Use a stronger admin password. Enable IP and account access protection to prevent brute force attacks. Disable SSH and Telnet connections if you are not using these services. Avoid using default port numbers 443 and 8080.

Update November 04, 13:53 EST: QNAP says that it "added rules to remove the QSnatch malware and released Malware Remover 3.5.4.0 and 4.5.4.0."