Bitcoin Miner [oom_reaper] targets QNAP NAS devices

Pierluigi Paganini December 07, 2021

Taiwanese vendor QNAP warns customers of ongoing attacks targeting their NAS devices with cryptocurrency miners.

Taiwanese vendor QNAP warns customers of threat actors targeting their NAS devices with cryptocurrency miners. Upon compromising the devices, the miner will create a new process named [oom_reaper] that allows threat actors to mine Bitcoin

The above process could occupy around 50% of the total CPU usage while mimicking a kernel process, but the vendor notices that the associated PID is usually greater than 1000.

“A bitcoin miner has been reported to target QNAP NAS. Once a NAS is infected, CPU usage becomes unusually high where a process named “[oom_reaper]” could occupy around 50% of the total CPU usage. This process mimics a kernel process but its PID is usually greater than 1000.” reads the advisory published by the vendor. “We strongly recommend users to act immediately to protect their device.”

Customers can contact the company through the QNAP Helpdesk for any questions regarding this campaign.

The Bitcoin miner employed in the campaign seems to lack of persistence mechanism, this means that restarting the device may remove the malware.

QNAP recommends customers the following actions to protect their devices:

  1. Update QTS or QuTS hero to the latest version.
  2. Install and update Malware Remover to the latest version.
  3. Use stronger passwords for your administrator and other user accounts.
  4. Update all installed applications to their latest versions.
  5. Do not expose your NAS to the internet, or avoid using default system port numbers 443 and 8080.

Unfortunately, QNAP NAS devices were targeted by multiple malware campaigns in the last few years. In August, a new variant of the eCh0raix ransomware targeted the devices of the Taiwanese companies QNAP and Synology.

In May, QNAP warned customers of threat actors that are targeting its Network Attached Storage (NAS) devices with eCh0raix ransomware attacks and exploiting a Roon Server zero-day vulnerability.

The Taiwanese vendor was informed of ongoing eCh0raix ransomware attacks that infected QNAP NAS devices using weak passwords.

Independent experts observed a surge in eCh0raix ransomware infection reports between April 19 and April 26.

In the same period, the vendor also warned its users of an ongoing AgeLocker ransomware outbreak.

In May, the Taiwanese vendor warned customers of updating the HBS 3 disaster recovery app running on their Network Attached Storage (NAS) devices to prevent Qlocker ransomware infections.

In 2019, Anomali researchers reported a wave of eCh0raix attacks against Synology NAS devices, threat actors conducted brute-force attacks against them.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, IoT)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment