Risk from Malware Targeting QNAP NAS Devices [QSnatch malware]
All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes. The malware, documented in open-source reports, has infected thousands of devices worldwide with a particularly high number of infections in North America and Europe.
Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates.
CISA and NCSC have identified two campaigns of activity for QSnatch malware. The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019. The two campaigns are distinguished by the initial payload used as well as some differences in capabilities. This alert focuses on the second campaign as it is the most recent threat.
It is important to note that infrastructure used by the malicious cyber actors in both campaigns is not currently active, but the threat remains to unpatched devices.
Although the identities and objectives of the malicious cyber actors using QSnatch are currently unknown, the malware is relatively sophisticated, and the cyber actors demonstrate an awareness of operational security.
To prevent QSnatch malware infections, westrongly recommend that organizations take the recommended measures in QNAP’s November 2019 advisory.
| SH Samples (SHA256) |
|---|
| 09ab3031796bea1b8b79fcfd2b86dac8f38b1f95f0fce6bd2590361f6dcd6764 |
| 3c38e7bb004b000bd90ad94446437096f46140292a138bfc9f7e44dc136bac8d |
| 8fd16e639f99cdaa7a2b730fc9af34a203c41fb353eaa250a536a09caf78253b |
| 473c5df2617cee5a1f73880c2d66ad9668eeb2e6c0c86a2e9e33757976391d1a |
| 55b5671876f463f2f75db423b188a1d478a466c5e68e6f9d4f340396f6558b9f |
| 9526ccdeb9bf7cfd9b34d290bdb49ab6a6acefc17bff0e85d9ebb46cca8b9dc2 |
| 4b514278a3ad03f5efb9488f41585458c7d42d0028e48f6e45c944047f3a15e9 |
| fa3c2f8e3309ee67e7684abc6602eea0d1d18d5d799a266209ce594947269346 |
| 18a4f2e7847a2c4e3c9a949cc610044bde319184ef1f4d23a8053e5087ab641b |
| 9791c5f567838f1705bd46e880e38e21e9f3400c353c2bf55a9fa9f130f3f077 |
| a569332b52d484f40b910f2f0763b13c085c7d93dcdc7fea0aeb3a3e3366ba5d |
| a9364f3faffa71acb51b7035738cbd5e7438721b9d2be120e46b5fd3b23c6c18 |
| 62426146b8fcaeaf6abb24d42543c6374b5f51e06c32206ccb9042350b832ea8 |
| 5cb5dce0a1e03fc4d3ffc831e4a356bce80e928423b374fc80ee997e7c62d3f8 |
| 5130282cdb4e371b5b9257e6c992fb7c11243b2511a6d4185eafc0faa0e0a3a6 |
| 15892206207fdef1a60af17684ea18bcaa5434a1c7bdca55f460bb69abec0bdc |
| 3cb052a7da6cda9609c32b5bafa11b76c2bb0f74b61277fecf464d3c0baeac0e |
| 13f3ea4783a6c8d5ec0b0d342dcdd0de668694b9c1b533ce640ae4571fdbf63c |
Table 2: QSnatch samples – SHC-compiled ELF shell scripts
| SH Samples (SHA256) |
|---|
| 18a4f2e7847a2c4e3c9a949cc610044bde319184ef1f4d23a8053e5087ab641b |
| 3615f0019e9a64a78ccb57faa99380db0b36146ec62df768361bca2d9a5c27f2 |
| 845759bb54b992a6abcbca4af9662e94794b8d7c87063387b05034ce779f7d52 |
| 6e0f793025537edf285c5749b3fcd83a689db0f1c697abe70561399938380f89 |
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.