UnityMiner Malware

The UnityMiner Malware is used to hijack the resources of QNAP storage devices and then mine for Monero coins. The UnityMiner Malware is a crypto-miner based on the XMRig open-source threat, which is popular among cybercriminals. UnityMiner is equipped with several features designed to mask the activity of the malware threat for as long as possible. Instead of hogging all of the available cores, UnityMiner will take over only half of them. It also will tamper with the reported CPU memory resource usage data to hide the abnormal system behavior if the user checks the system usage through the QNAP Web management interface. The crypto-wallet address where the mined Monero coins are being sent is hidden behind three pool proxies.

The structure of UnityMiner Malware on the compromised device consists of unity_install.sh and Quick.tar.gz. So far, two versions of the threat have been discovered - one for ARM64 and the other designed to work on AMD64 systems. To appropriate version is deployed after performing a check of the system's CPU architecture.

While most crypto-mining threats rely on brute-force attacks and collected credentials to infect their targets, the campaign deploying UnityMiner exploits two vulnerabilities in QNAP's network-attached storage (NAS) devices. The specific vulnerabilities are identified, and, according to QNAP, they can be used to obtain remote code execution capabilities through a combination of improper access controls and a command-line injection vulnerability.

The critical vulnerabilities used in the UnityMiner Malware attack campaign were made public in a security vulnerability released on October 7, 2020, and they can affect only devices that use older firmware versions. Still, estimates show that potentially hundreds of thousands of QNAP NAS devices remain unpatched and can potentially be breached. QNAP has released a new product security news article in which it urges users to update their devices.