Hackers have infected thousands of network-attached storage (NAS) devices from Taiwanese vendor QNAP with a new strain of malware named QSnatch.
Over 7,000 infections have been reported in Germany alone, the German Computer Emergency Response Team (CERT-Bund) said today. Thousands more are believed to be infected worldwide, in what appears to be an ongoing outbreak.
Information on how QSnatch works is still scant, at the time of writing. The only report comes from the National Cyber Security Centre of Finland (NCSC-FI), the first cybersecurity organization to spot the malware last week.
NCSC-FI members have not yet discovered how this new threat spreads and infects QNAP NAS systems; however, once it gains access to a device, QSnatch burrows into the firmware to gain reboot persistence.
An analysis of the malware's code revealed the following capabilities:
These features describe the malware's capabilities but don't reveal its end-goal. It is unclear if QSnatch was developed to carry out DDoS attacks, to perform hidden cryptocurrency mining, or just as a way to backdoor QNAP devices to sensitive steal files or host malware payloads for future operations.
One theory is that the QSnatch operators are currently in the phase where they're building their botnet, and will deploy other modules in the future. NCSC-FI analysts confirmed that QSnatch has the ability to connect to a remote command-and-control, download, and then run other modules.
For the time being, the only confirmed method of removing QSnatch has been performing a full factory reset of the NAS device.
After a factory reset, users are advised to install the latest QNAP NAS firmware update available. QNAP has released a firmware update with QSnatch protections on November 1, 2019.
Other advice shared by NCSC-FI analysts on dealing with the aftermath of a QSnatch infection include:
QSnatch is the fourth malware strain spotted this year that has targeted NAS devices, following in the footsteps of a ransomware strain that impacted Synology devices, and the eCh0raix and Muhstik ransomware strains that impacted QNAP devices.
Article updated on November 3 with link to the QNAP firmware update.