New QSnatch malware attack reports: 62,000 QNAP NAS devices infected

The QSnatch malware that was first spotted in 2019 grew from 7,000 bots to more than 62,000 affected devices

Security experts alert about QSnatch malwareAccording to security alters,[1] the malware has infected network-attached storage – NAS devices from the developer QNAP.[2] Cybersecurity teams from the United States and the United Kingdom,[3] state that attacks with QSnatch malware have been traced to 2014. The intensified operations were noticed last year when reports stated about 7,000 infected devices.[4] This number has grown to 62,000 six months after.

The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019.

CISA and NSCS reports show that 7,600 of those affected devices are in the US, more than 3,900 of them in the UK. Almost half of the infected machines are located in Western Europe. Unfortunately, this malware is extremely dangerous and pretty much any QNAP NAS device is potentially vulnerable if not properly updated and patched with all the latest security fixes. Also, once the device gets infected, attackers can prevent the user from running the firmware updates and remain on the corrupted device.

Data-stealing malware capabilities

The joint advisory stated that two campaigns used different versions of the QSnatch malware. The latest version, used more recently was the one investigated in-depth. The malware comes with a broad set of features that include:

  • CGI password logging module that installs a fake version of the device admin login page, so authentication get bypassed, and users enter their details as on a legitimate login page.
  • Credential stealer module that can scrape any details that are valuable for the attacker.
  • SSH backdoor module that provides arbitrary code execution option on the infected device.
  • Webshell functionality for remote access.
  • Data exfiltration that allows QSnatch malware to steal wanted files, system configurations, log data. This information can get encrypted and sent to the attackers’ infrastructure over HTTPS.

QSnatch virus distribution still a mystery for researchers 

Vulnerabilities in QNAP software can be exploited for such goals, or default passwords may be used for the administrative accounts. These are only assumptions, and none of the methods can be verified without a doubt. It is only known that once that attacker gains the foothold on the device and inject QSnatch malware into the firmware full control of the device can be taken.

Any future updates that could help with malware elimination get blocked by the malware too, so CISA and NSCS urge companies to patch QNAP NAS devices as soon as possible. Failing to terminate the infection can lead to backdoor malware attacks, direct corruption in company networks and access to NAS devices. The last one is dangerous because these devices are often used to store backups and sensitive files.

The network, those malicious actors used in these two more recent campaigns, is no longer active. The second wave of these attacks involved injecting the malware while using the domain generation algorithm that helps to set up command-and-control[5] channel for the communication with infected hosts and exfiltrate the sensitive details. The second series of these attacks are possible since the infection remains active around the internet and on infected devices.