Thousands of QNAP NAS devices have been infected with the QSnatch malware

Over 7,000 infections reported in Germany alone. The malware is still spreading.

world map cyber ddos globe

Hackers have infected thousands of network-attached storage (NAS) devices from Taiwanese vendor QNAP with a new strain of malware named QSnatch.

Over 7,000 infections have been reported in Germany alone, the German Computer Emergency Response Team (CERT-Bund) said today. Thousands more are believed to be infected worldwide, in what appears to be an ongoing outbreak.

Information on how QSnatch works is still scant, at the time of writing. The only report comes from the National Cyber Security Centre of Finland (NCSC-FI), the first cybersecurity organization to spot the malware last week.

NCSC-FI members have not yet discovered how this new threat spreads and infects QNAP NAS systems; however, once it gains access to a device, QSnatch burrows into the firmware to gain reboot persistence.

An analysis of the malware's code revealed the following capabilities:

  • Modify OS timed jobs and scripts (cronjob, init scripts)
  • Prevent future firmware updates by overwriting update source URLs
  • Prevents the native QNAP MalwareRemover App from running
  • Extracts and steals usernames and passwords for all NAS users

These features describe the malware's capabilities but don't reveal its end-goal. It is unclear if QSnatch was developed to carry out DDoS attacks, to perform hidden cryptocurrency mining, or just as a way to backdoor QNAP devices to sensitive steal files or host malware payloads for future operations.

One theory is that the QSnatch operators are currently in the phase where they're building their botnet, and will deploy other modules in the future. NCSC-FI analysts confirmed that QSnatch has the ability to connect to a remote command-and-control, download, and then run other modules.

Dealing with an infection

For the time being, the only confirmed method of removing QSnatch has been performing a full factory reset of the NAS device.

After a factory reset, users are advised to install the latest QNAP NAS firmware update available. QNAP has released a firmware update with QSnatch protections on November 1, 2019.

Other advice shared by NCSC-FI analysts on dealing with the aftermath of a QSnatch infection include:

  • Change all passwords for all accounts on the device
  • Remove unknown user accounts from the device
  • Make sure the device firmware is up-to-date and all of the applications are also updated
  • Remove unknown or unused applications from the device
  • Install QNAP MalwareRemover application via the App Center functionality
  • Set an access control list for the device (Control panel -> Security -> Security level)

QSnatch is the fourth malware strain spotted this year that has targeted NAS devices, following in the footsteps of a ransomware strain that impacted Synology devices, and the eCh0raix and Muhstik ransomware strains that impacted QNAP devices.

Article updated on November 3 with link to the QNAP firmware update.