Security experts warn of a new piece of malware dubbed QSnatch that already infected thousands of QNAP NAS devices worldwide.

A new piece of malware dubbed QSnatch is infecting thousands of NAS devices manufactured by the Taiwanese vendor QNAP.

The name comes after the target vendor and the “snatching” activity the malware performs.

According to the German Computer Emergency Response Team (CERT-Bund), over 7,000 devices have been infected in Germany alone.

Auf Basis von Sinkhole-Daten sind aktuell bereits ca. 7.000 NAS-Geräte in Deutschland betroffen.

Weitere Informationen von unseren Kollegen bei @CERTFI:https://t.co/DgrWKoRHS0 — CERT-Bund (@certbund) October 31, 2019

A couple of weeks ago, the experts at the National Cyber Security Centre of Finland (NCSC-FI), published a report on the QSnatch malware. The experts were alerted about the malware in October and immediately launched an investigation.

“NCSC-FI received reports via the Autoreporter service during mid October of infected devices attempting to communicate to specific command and control (C2) servers.” reads the report. “The original infection method remains unknown, but during that phase malicious code is injected to the firmware of the target system, and the code is then run as part of normal operations within the device. After this the device has been compromised. The malware uses domain generation algorithms to retrieve more malicious code from C2 servers.”

At the time the infection vector is still unclear, once the malware access to a vulnerable device the malicious code is injected into the firmware to gain reboot persistence.

The sample analyzed by the expert was able to perform the following actions:

Modify operating system timed jobs and scripts ( cronjob , init scripts

, scripts Prevent device updates by overwriting update sources completely,

Prevent the execution of the built-in QNAP MalwareRemover App.

App. Gather all usernames and passwords related to the device and sent them to the C2 server.

Load new modules implementing new features from the C2 servers.

Call-home at specific intervals.

At the time of writing, it is still unclear how threat actor will use the malware (i.e. DDoS attack, cryptocurrency miner, data harvesting).

The modular structure of the malware could allow QSnatch operators to perform a broad range of malicious activities by deploying the necessary modules.

Experts at NCSC-FI suggests to perform a full factory reset of the NAS device to clean the infected devices, another unconfirmed method is to apply an update provided by the vendor.

Once cleaned the device, experts suggest the following actions:

Change all passwords for all accounts on the device

Remove unknown user accounts from the device

Make sure the device firmware is up-to-date and all of the applications are also updated

Remove unknown or unused applications from the device

Install QNAP MalwareRemover application via the App Center functionality

Set an access control list for the device (Control panel -> Security -> Security level).

In the past months, other malware targeted NAS devices, in July researchers at two security firms Intezer and Anomali discovered a new piece of ransomware targeting QNAP NAS devices. The ransomware, tracked by Intezer as “QNAPCrypt” and “eCh0raix” by Anomali, is written in the Go programming language and uses AES encryption to encrypt files.

In February, users of the QNAP NAS devices reported a mystery string of malware attacks that disabled software updates by hijacking entries in host machines’ hosts file.

In September, a piece of ransomware tracked as Muhstik was spotted while targeting QNAP network-attacked storage (NAS) devices.

One of the first attacks against QNAP is dated back 2014, at the time security experts at Sans Institute discovered a worm that exploits the popular Shellshock flaw to compromise QNAP systems in the wild.

Pierluigi Paganini

( SecurityAffairs – QNAP, malware)

Share this...

Linkedin Reddit Pinterest

Share On