Qsnatch snatching credentials in an ongoing Campaign

  • Post author:
  • Reading time:2 mins read

QSnatch, the new malware in town has already affected thousands of devices and wouldn’t call it quits. This malware was first discovered in October 2019 by the National Cyber Security Center of Finland (NCSC-FI) after it received reports via the Autoreporter service indicating the communication of infected QNAP NAS devices with specific command and control servers.

This malware was initially designated as CAPHAW targeting Windows systems. However, an in-depth analysis of the C2 traffic pointed out the strong inclination of the malware towards infecting QNAP NAS devices. This malware is known to inject malicious code into the firmware which runs as a part of normal operations on the device. Upon full compromise of the device, the malware uses domain generation algorithms to fetch malicious code which is used to perform a range of operations on the device.

The various functionalities of the malware as pointed out by NCSC-FI are:

  • Operating system timed jobs and scripts are modified (cronjob, init scripts)
  • Firmware updates are prevented via overwriting update sources completely
  • QNAP MalwareRemover App is prevented from being run
  • All usernames and passwords related to the device are retrieved and sent to the C2 server
  • The malware has modular capacity to load new features from the C2 servers for further activities
  • Call-home activity to the C2 servers is set to run with set intervals

Affected Products

QNAP Network Attached Storage (NAS) devices.


Impact

The malware compromises a device and modifies operating system timed jobs and scripts, prevents installation of new firmware updates and steals usernames and passwords.


Solution
QNAP has released Malware Remover 3.5.4.0 and 4.5.4.0 with new rules to remove the QSnatch malware. QNAP has also detailed the steps to avoid attacks in its advisory. The report published by NCSC-FI includes the necessary steps to cleanse an infected device.

We strongly recommend all system administrators to follow the security guidelines provided by the vendor to avoid any instances of attack.