The campaign found to be active since late 2019, and they primarily target Network Attached Storage (NAS) devices manufactured by the firm QNAP.
QSnatch Malware Campaign
CISA and NCSC discovered that two campaigns of QSnatch malware activity;
- The first campaign began in early 2014 and continued until mid-2017
- The second campaign starts in late 2018 and was still active in late 2019.
“This alert focuses on the second campaign as it is the most recent threat. It is important to note that infrastructure used by the malicious cyber actors in both campaigns is not currently active, but the threat remains to unpatched devices.,” CISA said.
The malware is highly sophisticated, and its infection vector has not been identified. It appears the malware directly gets inject to the device firmware during the infection stage and the malicious code runs within the device compromising it.
Following are the malware functionalities
- CGI password logger
- Credential scraper
- SSH backdoor
- Webshell functionality for remote access
C2 communication established using a domain generation algorithm (DGA) that generates multiple domain names for use in C2 communications.
For maintaining persistence the malware prevents installing updates with the infected QNAP device by modifying the host’s file.
According to CISA analysis, “in mid-June 2020, there were approximately 62,000 infected devices worldwide; of these, approximately 7,600 were in the United States and 3,900 were in the United Kingdom.”
CISA and NCSC recommend organizations running a vulnerable version must run a full factory reset on the device before completing the firmware upgrade to ensure the device is not left vulnerable. Also, CISA provides mitigations for organizations.