QNAP urges users to update Malware Remover after QSnatch joint alert

The Taiwanese vendor QNAP urges its users to update the Malware Remover app following the alert on the QSnatch malware.

The Taiwanese company QNAP is urging its users to update the Malware Remover app to prevent NAS devices from being infected by the QSnatch malware.

This week, the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint advisory about a massive ongoing campaign spreading the QSnatch data-stealing malware.

“CISA and NCSC have identified two campaigns of activity for QSnatch malware. The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019. The two campaigns are distinguished by the initial payload used as well as some differences in capabilities. This alert focuses on the second campaign as it is the most recent threat.” reads the alert. “Analysis shows a significant number of infected devices. In mid-June 2020, there were approximately 62,000 infected devices worldwide; of these, approximately 7,600 were in the United States and 3,900 were in the United Kingdom.”

The malicious code specifically targets QNAP NAS devices manufactured by Taiwanese company QNAP, it already infected over 62,000 QNAP NAS devices.

The QSnatch malware implements multiple functionalities, such as:  

• CGI password logger
  • This installs a fake version of the device admin login page, logging successful authentications and passing them to the legitimate login page.
• Credential scraper
• SSH backdoor
  • This allows the cyber actor to execute arbitrary code on a device.
• Exfiltration
  • When run, QSnatch steals a predetermined list of files, which includes system configurations and log files. These are encrypted with the actor’s public key and sent to their infrastructure over HTTPS.
• Webshell functionality for remote access

QSnatch (aks Derek) is a data-stealing malware that was first details by the experts at the National Cyber Security Centre of Finland (NCSC-FI) in October 2019. The experts were alerted about the malware in October and immediately launched an investigation.

At the time, the German Computer Emergency Response Team (CERT-Bund) reported that over 7,000 devices have been infected in Germany alone.

QNAP attempted to downplay the effects of the campaign aimed at infecting its NAS devices.

“QNAP reaffirms that at this moment no malware variants are detected, and the number of affected devices shows no sign of another incident.” reads a post published by the company.

“Certain media reports claiming that the affected device count has increased from 7,000 to 62,000 since October 2019 are inaccurate due to a misinterpretation of reports from different authorities,”

The vendor recommends installing the latest version of the Malware Remover app that is available through the QTS App Center or on its website.

“Users are urged to install the latest version of the Malware Remover app from the QTS App Center or by manual downloading from the QNAP website. QNAP also recommends a series of actions for enhancing QNAP NAS security. They’re also detailed in the security advisory.” continues the advisory.

Below some of the actions recommended by the vendor:

1. Update QTS and Malware Remover.
2. Install and update Security Counselor.
3. Change the admin password and use a strong one.
4. Enable IP and account access protection to prevent brute force attacks.
5. Disable SSH and Telnet connections if they are not necessary.
6. Avoid using default ports (i.e. 443 and 8080).

Even though the attach chain is not clear, the joint alert reveals that some QSnatch samples will intentionally patch the infected QNAP for Samba remote code execution vulnerability CVE-2017-7494.

According to the experts, currently, the attack infrastructure behind the previous QSnatch campaign is not more active, but users have to update their NAS devices as soon as possible to prevent future attacks.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, QSnatch)

[adrotate banner=”5″]

[adrotate banner=”13″]