QSnatch Malware Prevention and Cleanup
In this highly-digitalized era, many SMEs and personal computer users are leveraging on the easy-to-manage and low-cost nature of Network-attached Storage (NAS) devices to help them store information and multimedia files. This makes the devices an obvious target for cyber criminals. A recent HKCERT review of the malware situation in Hong Kong has estimated that around 2,000 QNAP NAS devices locally had been infected with a malware called QSnatch to become part of a botnet. To address the issue, Internet service providers have been contacted to help inform the victims to clean up their infected devices.
What is QSnatch?
QSnatch is a malware specifically targeting NAS devices made by Taiwanese manufacturer QNAP. Once infected, the device will communicate with the attacker-operated command and control servers using a domain generation algorithm (DGA) which periodically generate a new destination domain name to avoid being tracked. The malware contains multiple malicious functions, such as:
- CGI password logger – logs user’s password by showing a fake version of the device admin login page
- Credential scraper – sends all user and passwords to the attackers’ servers
- SSH backdoor – enables the remote attackers to run arbitrary code on the device
- Exfiltration – sends system configurations and log files to the attacker’s servers
- Web shell - accesses to the device remotely
Apart from stealing information, QSnatch can also block the firmware update process of the NAS device and subsequently make it vulnerable to other serious cyber attacks such as ransomware.
Advice to device owners
To prevent NAS devices from infection, users are recommended to take the below actions:
- Update the device firmware to the latest version
- Install and update the Security Counselor and Malware Remove to the latest version provided by the manufacturer
- Enable IP and account access protection to prevent brute force attacks
- Change the admin and user passwords regularly
- Disable unused protocol and applications, e.g. SSH, Telnet, Web Server, SQL server, phpMyAdmin
- Avoid using default port number, e.g. 22, 443, 80, 8080, 8081, etc.
- If the device is intended to use internally only, please disable the external access or set up a network firewall
If you suspect your device is infected or unable to update the firmware, you should:
- Download and install the latest version of Malware Remover from the official website
- Scan the device using the remover