A malware threat dubbed QSnatch is known to target NAS (Network-Attached Storage) devices manufactured by the Taiwan-based QNAP Systems, Inc. Malware researchers at Finland's National Cyber Security Center (NCSC-FI) were the first to spot the activity of this new threat in the middle of October 2019. A detailed analysis of the automatic reports provided by the Center's proprietary Autoreporter service allowed them to expose a number of QSnatch-infected storage devices trying to establish communication with remote C&C (Command & Control) servers. Although the Finnish experts initially believed they were dealing with the MS Windows-tailored Caphaw malware, a thorough inspection of the C2 communication revealed that the malware's prime targets were QNAP NAS devices instead. QNAP Systems, Inc. has since issued firmware updates aimed at neutralizing QSnatch from all of its infected devices.
QSnatch Damage Potential
Researchers have yet to determine the infection vectors (IVs) deployed by the crooks in charge to spread QSnatch among QNAP's hardware. What they do know, however, is that QSnatch plants its malicious code directly into the firmware of the host device and then runs it as a legitimate process in QTS, QNAP's NAS-tailored Operating System. Once running, QSnatch attempts to establish a connection with remote C&C servers presumably operated by the same cyber crooks. If successful, such a connection would allow QSnatch to fetch additional malware onto the infected device through the "HTTP GET https://
Once this is completed, the QSnatch malware will be able to cause quite a stir in the compromised host. Depending on the malicious module(s) currently retrieved from the C2 server (with more potentially to come due to QSnatch's modular capacity), QSnatch may be capable of:
- Preventing applications and firmware from applying updates as this might tamper with its malicious behavior.
- Disabling the QNAP MalwareRemover application if the users have installed this program on their PCs.
- Bringing in new malware from the attackers' C&C server.
- Altering active time-based job schedulers (cronjobs) and init files (initialization scripts that are executed to start necessary processes as part of the boot process).
- Harvesting all login credentials and system configuration files present on the infected host and transferring them to the C&C server of its operators.
Remove QSnatch From an Infected Device
In response to the initial Oct. 25 2019 reports on the QSnatch malware attack, QNAP Systems swiftly provided a live firmware update for the QTS OS itself accessible from the QTS Control Panel menu. The vendor also put out an update for its Malware Remover app available from QTS's App center. While those new versions of Malware Remover - 18.104.22.168 and 22.214.171.124, respectively - should be sufficient enough to remove QSnatch from infected devices, users should also change their already compromised login credentials to avoid reinfection. Last but not least, QNAP has urged customers to install the QTS Security Counselor app (also found in the QTS App Center) to bring the network security of their NAS devices to a higher level.
In addition to the steps mentioned above, NAS users may and should resort to a number of actions to shield their devices from future attacks, including but not limited to:
- Steering clear of default port numbers - 8080/81, 443, 80, and 22 to name but a few
- Activating IP protection against brute-force attempts
- Deleting inactive accounts, suspicious apps, and unused apps/services (Web Server, SQL Server, SSH, Telnet, etc.)
Additional guidance on how to implement the measures outlined above can be found on QNAP System's security advisory dedicated specifically to the QSnatch Malware.