QSnatch Malware Infects Thousands of NAS Devices, Steals Credentials

Posted by & filed under Security Alerts.

Thousands of QNAP NAS devices are getting infected with a malware dubbed QSnatch that injects into their firmware and proceeds to steal credentials and load malicious code retrieved from its command and control (C2) servers.

Germany’s Computer Emergency Response Team (CERT-Bund) says that, based on sinkhole data, roughly 7,000 NAS devices in Germany are currently affected by QSnatch infections.

The malware strain was spotted by researchers at the National Cyber Security Centre of Finland (NCSC-FI) after receiving reports from the Autoreporter service of infected NAS devices trying to communicate to C2 servers.

While initially, the malware was thought to be a variant of the Caphaw (aka Shylock) banking malware, a more detailed investigation based on the C2 traffic featuring QNAP-related parameters led to the discovery of the new QSnatch malware.

The malware received the QSnatch name based on the devices it targets and the information “snatching” activity detailed below.

Kauto Huopio@kautoh

It is nice to close a busy week at @CERTFI (NCSC-FI) with a new malware discovery: targets devices. Here the NCSC-FI service played a critical part on anomaly discovery – together with our sharp malware specialists. https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices 

See Kauto Huopio’s other Tweets

Infection and malicious activity

While the infection vector is not yet known, the researchers found that QSnatch will get injected into the firmware of QNAP NAS devices during the infection stage, with the malicious code being “run as part of normal operations within the device.”

Once it manages to infect the firmware, the device is compromised and the malware will use “domain generation algorithms to retrieve more malicious code from C2 servers” using an HTTP GET request of the following form:

HTTP GET https:///qnap_firmware.xml?=t

After downloading a payload from the C2 server it will execute it on the infected QNAP NAS device with system rights and will perform a series of malicious actions including but not limited to:

• Operating system timed jobs and scripts are modified (cronjob, init scripts)
• Firmware updates are prevented via overwriting update sources completely
• QNAP MalwareRemover App is prevented from being run
• All usernames and passwords related to the device are retrieved and sent to the C2 server
• The malware has modular capacity to load new features from the C2 servers for further activities
• Call-home activity to the C2 servers is set to run with set intervals

How to clean an infected QNAP NAS device

QNAP NAS devices can be cleaned off after getting infected with the QSnatch malware by doing a full factory reset that will unfortunately also completely erase the data stored on the compromised device.

Applying a security update issued by QNAP during February might also help remove a QSnatch infection, however, as the NCSC-FI researchers explain this is not yet confirmed.

“NCSC-FI has not been able to confirm whether the update actually removes the malware, and this is also acknowledged by the manufacturer,” says their report.

Users are also advised to go through the following recommended steps once they remove the QSnatch infection from their devices and to file a ticket with QNAP’s support, if needed:

• Change all passwords for all accounts on the device
• Remove unknown user accounts from the device
• Make sure the device firmware is up-to-date and all of the applications are also updated
• Remove unknown or unused applications from the device
• Install QNAP MalwareRemover application via the App Center functionality
• Set an access control list for the device (Control panel -> Security -> Security level)

NCSC-FI also recommends all NAS owners to keep them up to date and protect them from being exposed to connections from the Internet with the help of a firewall to block potential attacks.

Malware targeting QNAP devices

QNAP issued a security advisory about NAS devices with weak SQL server passwords and running phpMyAdmin being attacked by Muhstik Ransomware in early October.

In August, another advisory detailed an eCh0raix Ransomware (also known as QNAPCrypt) campaign targeting QNAP NAS devices with weak passwords and outdated QTS firmware.

Security researcher and ransomware expert BloodDolly released an eCh0raix decryptor for some variants in a BleepingComputer support topic one week earlier.

QNAP also warned customers in May 2018 of ongoing VPNFilter malware attacks attempting to infect QNAP NAS devices using the default password for the administrator account or running QTS 4.2.6 build 20170628, 4.3.3 build 20170703, and earlier versions.


The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.