Risk from Malware Targeting QNAP NAS Devices [QSnatch malware]

All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes. The malware, documented in open-source reports, has infected thousands of devices worldwide with a particularly high number of infections in North America and Europe.

Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates.

CISA and NCSC have identified two campaigns of activity for QSnatch malware. The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019. The two campaigns are distinguished by the initial payload used as well as some differences in capabilities. This alert focuses on the second campaign as it is the most recent threat.  

It is important to note that infrastructure used by the malicious cyber actors in both campaigns is not currently active, but the threat remains to unpatched devices.  

Although the identities and objectives of the malicious cyber actors using QSnatch are currently unknown, the malware is relatively sophisticated, and the cyber actors demonstrate an awareness of operational security.

To prevent QSnatch malware infections, westrongly recommend that organizations take the recommended measures in QNAP’s November 2019 advisory.

SH Samples (SHA256)
09ab3031796bea1b8b79fcfd2b86dac8f38b1f95f0fce6bd2590361f6dcd6764
3c38e7bb004b000bd90ad94446437096f46140292a138bfc9f7e44dc136bac8d
8fd16e639f99cdaa7a2b730fc9af34a203c41fb353eaa250a536a09caf78253b
473c5df2617cee5a1f73880c2d66ad9668eeb2e6c0c86a2e9e33757976391d1a
55b5671876f463f2f75db423b188a1d478a466c5e68e6f9d4f340396f6558b9f
9526ccdeb9bf7cfd9b34d290bdb49ab6a6acefc17bff0e85d9ebb46cca8b9dc2
4b514278a3ad03f5efb9488f41585458c7d42d0028e48f6e45c944047f3a15e9
fa3c2f8e3309ee67e7684abc6602eea0d1d18d5d799a266209ce594947269346
18a4f2e7847a2c4e3c9a949cc610044bde319184ef1f4d23a8053e5087ab641b
9791c5f567838f1705bd46e880e38e21e9f3400c353c2bf55a9fa9f130f3f077
a569332b52d484f40b910f2f0763b13c085c7d93dcdc7fea0aeb3a3e3366ba5d
a9364f3faffa71acb51b7035738cbd5e7438721b9d2be120e46b5fd3b23c6c18
62426146b8fcaeaf6abb24d42543c6374b5f51e06c32206ccb9042350b832ea8
5cb5dce0a1e03fc4d3ffc831e4a356bce80e928423b374fc80ee997e7c62d3f8
5130282cdb4e371b5b9257e6c992fb7c11243b2511a6d4185eafc0faa0e0a3a6
15892206207fdef1a60af17684ea18bcaa5434a1c7bdca55f460bb69abec0bdc
3cb052a7da6cda9609c32b5bafa11b76c2bb0f74b61277fecf464d3c0baeac0e
13f3ea4783a6c8d5ec0b0d342dcdd0de668694b9c1b533ce640ae4571fdbf63c

Table 2: QSnatch samples – SHC-compiled ELF shell scripts

SH Samples (SHA256)
18a4f2e7847a2c4e3c9a949cc610044bde319184ef1f4d23a8053e5087ab641b
3615f0019e9a64a78ccb57faa99380db0b36146ec62df768361bca2d9a5c27f2
845759bb54b992a6abcbca4af9662e94794b8d7c87063387b05034ce779f7d52
6e0f793025537edf285c5749b3fcd83a689db0f1c697abe70561399938380f89

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: