Warning over QSnatch malware infecting QNAP NAS devices

After gaining access to a device, the malware injects malicious code into the firmware to gain persistence

Germany's computer emergency response team (CERT-Bund) has issued a warning over QSnatch malware that has infected more than 7,000 QNAP NAS devices in Germany alone.

According to CERT-Bund, the malware targets network-attached storage (NAS) devices manufactured by the Taiwanese firm QNAP. The malware appears to be targeting those devices running outdated firmware.

https://twitter.com/certbund/status/1189890405749460992?ref\\_src=twsrc%5Etfw

QSnatch malware was first spotted in mid-October by Finland's National Cyber Security Centre (NCSC-FI). The centre said its Autoreporter service spotted a large number of devices trying to communicate with some specific command and control (C&C) servers. Autoreporter automatically generated warning reports and sent them to admins to caution about security incidents in networks.

"Originally the malware was designated as Caphaw, which is targeted to Windows-operating systems, but the parameters used in the C2 traffic had strong indications towards QNAP-devices, and an investigation was started," NCSC-FI said in a post.

Further analysis revealed that the malware, after gaining access to a device, injects malicious code into the firmware to gain reboot persistence. It then uses domain generation algorithms to download more malware from C&C servers, which is then run inside the operating system.

A detailed analysis of the QSnatch's code revealed some interesting details about the malware.

According to NCSC-FI, the malware is capable of:

extracting credentials for all NAS users
altering OS timed jobs and scripts
overwriting update source URLs to prevent future firmware update
blocking the native QNAP MalwareRemover App from executing

The security specialists said that performing a factory reset of the infected device is the only confirmed way so far of removing QSnatch infection. Installing a QNAP NAS firmware update (released in February 2019) may also remove the infection, according to some users, but this has not yet been confirmed by NCSC-FI or QNAP.

NCSC-FI is advising device owners to disconnect them from the internet in order to deal with the aftermath of an infection. Owners are also advised to remove unknown accounts from their devices, to change passwords, and to also create an access control list for the device.

"NCSC-FI recommends that NAS devices are categorically not exposed to the internet without firewalling to prevent external attacks," the Centre said.

"Additionally constant updates will provide protection against vulnerabilities found within the systems," it added.