QSnatch malware infects thousands of Qnap NAS systems

Spread the love

Thousands of Qnap NAS systems have been infected with the QSnatch malware. Among other things, the virus steals passwords and prevents firmware updates. A Finnish computer authority published a report on the malware last week.

In Germany alone, 7,000 reports of the malware have been reported, the German computer emergency response team reports on Twitter. It is still unclear how the virus is spread, but a report from the Finnish ncsc-fi provides some details about how it works. Once the virus gains access to a device, QSnatch settles into the firmware, after which the virus gains reboot persistence.

According to an analysis by the ncsc-fi, QSnatch can, among other things, modify tasks that run in the operating system, prevent firmware updates and steal passwords. Qnap’s built-in antivirus software also doesn’t work because of the malware. It is unclear what the creators of the virus hope to achieve.

It is possible that the makers of QSnatch are currently building a botnet, and that they will distribute new modules in the future, ZDnet writes. The ncsc-fi has confirmed that the virus can connect to a remote command-and-control application.

Currently, the virus can only be removed by completely resetting an infected NAS system to factory settings. This will erase all data. Some users report that an update from February 2019 seems to remove the malware, but it is unclear whether it completely removed the virus. The device may also remain susceptible to new infections.

The explicit advice of the ncsc-fi is not to connect the nas systems to the internet without a firewall. Also, users are advised to change passwords of all accounts on the device, delete unknown user accounts, keep the firmware up to date, and install the Qnap MalwareRemover. Setting up an access control list is also recommended. QSnatch is not the first malware targeting NAS systems. Earlier this year, for example, the eCh0raix ransomware was discovered. Muhstik also specifically targets Qnap systems, but the encryption keys of this malware were published by a duped hacker. In 2014, Synology NAS systems were hit by ransomware.

You might also like