How to Get Rid of the Qsnatch Malware

Network Attached Storage or NAS devices designed by QNAP have been found to be vulnerable to a malware named QSnatch. This warning is according to the advisory issued by United States Cybersecurity and Infrastructure Security Agency (CISA) together with the UK’s National Cyber Security Centre (NCSC).

QNAP creates NAS devices that are used as a local cloud backup for various devices, such as computers and phones, as well as many other programs. It employs a custom-built Linux operating system, which makes the QSnatch malware all the more impressive. It is still unclear how the malware is distributed, who the attackers are, and what their objectives are.

What is the Qsnatch Malware?

QSnatch is the fourth malware strain discovered in 2020 that has targeted NAS devices. This incident happened after the discovery of the ransomware strain that affected Synology devices, as well as the eCh0raix and Muhstik ransomware that infected QNAP devices.

This time, hackers have infected tens of thousands of network-attached storage devices from Taiwanese manufacturer, QNAP, with a new malware called QSnatch.

Various versions of the QSnatch malware have been spotted for many years now, as early as 2014 and 2017. Security agencies have identified two specific campaigns designed to spread this infection, the last one dating back to November 2019.

Interestingly enough, security experts still don’t know how QSnatch spreads, but it seems to be injected into the device firmware in the infection phase, with the malicious code running within the device after the infection, therefore compromising it. It’s highly possible that the attackers exploited a remotely exploitable vulnerability found in the firmware, allowing the malicious code to be injected into the firmware.

QSnatch is capable of gathering confidential information from the infected devices, including your login credentials and system configuration. Because of these data breach concerns, infected QNAP devices that have been “cleaned” may still be at risk of reinfection even after deleting the malware.

According to the German Computer Emergency Response Team (CERT-Bund), more than 7,000 QSnatch infections have been reported in Germany. In June, the number of infected devices around the world reached 62,000, with around 7,600 in the US and 3,900 in the UK.

How QSnatch Works

QSnatch is an extremely sophisticated malware created to steal credentials using a CGI password logger, to provide hackers with a SSH backdoor, to export data (including system configurations and log files), and to provide web shell functionality for remote access.

Once the malware has been installed on the NAS drive, it becomes persistent by modifying the host file and redirecting the core domain names utilized by the NAS drive to outdated local versions, preventing updates from being retrieved.

According to the security alerts, the new version of QSnatch comes with an improved and broad set of features which includes functionality for modules, such as:

• CGI password logger for installing a fake version of the device admin login page, logging legitimate authentications, and forwarding them to the legitimate login page.
• A credential scraper
• SSH backdoor to allow the hacker to execute arbitrary code on a device.
• Exfiltration that enables QSnatch to steal a predetermined list of files, including system configurations and log files. These are usually encrypted with the hacker’s public key and forwarded to their infrastructure over HTTPS.
• Webshell functionality for remote access

While security experts have managed to analyze what the current version of the QSnatch malware is capable of doing, one important factor fails to evade them — how the malware initially infects the devices.

As mentioned earlier, hackers could be exploiting vulnerabilities found in the QNAP firmware or the attackers could be using general passwords for the admin account. Unfortunately, none of these methods could be verified beyond a doubt.

But once the hackers gain a foothold, the QSnatch malware is injected into the firmware and takes full control of the device. It then blocks future updates to the firmware in order to survive on the infected NAS.

Because the malware is so persistent, the admins can’t install firmware updates. Using an reliable antivirus might work for ordinary malware, but they are not effective in this case. Users need to perform a full factory reset before upgrading the firmware and installing all the latest updates, deleting the malware in the process.

How to Remove the Qsnatch Malware

It is not sure whether the malware was created for DDoS attacks, cryptocurrency mining, or to serve as a backdoor for QNAP devices developed to steal confidential data or future host malware.

But as of now, the only successful method of removing QSnatch is to perform a full factory reset of the NAS device. After resetting, users are encouraged to install the latest version of the QNAP NAS firmware update available.

If your organization has been infected by this malware, here’s what QNAP recommends:

“QNAP has updated its Malware Remover app for the QTS operating system on November 1 to detect and remove the malware from QNAP NAS. QNAP also released an updated security advisory on November 2 to address the issue. Users are urged to install the latest version of the Malware Remover app from QTS App Center or by manual downloading from the QNAP website. QNAP also recommends a series of actions for QNAP NAS security enhancements. They’re also detailed in the security advisory.”

In order to update to the latest firmware, follow this link: https://www.qnap.com/en/download

You can also follow the instructions below:

1. Log into QTS as administrator.
2. Navigate to Control Panel > System > Firmware Update.
3. Click Check for Update under Live Update.
4. QTS downloads and installs the latest available update.

You need to update QNAP’s built-in Malware Remover as well, by following the steps below:

1. Log into QTS as administrator.
2. Open the App Center, and then click the (+) button.
3. When the manual installation dialog box appears, read the instructions.
4. Click Browse.
5. When the file browser appears, locate and choose the installer file.
6. Click Install.
7. A confirmation message pops up.
8. Click OK.
9. QTS should now install the latest version of Malware Remover.
10. When the confirmation message appears, click OK.
11. When the required updates dialog box appears, click Update Now.
12. QTS should update Malware Remover to the latest version.
13. Open Malware Remover, then click Start Scan.

This should scan the NAS for malware and delete any threats found.

How to Prevent QSnatch Infection

To prevent malware infections, QNAP also strongly recommends the following security measures:

• Change the admin password and use unique, strong ones.
• Change other user passwords and make them as random as possible.
• Change your QNAP ID password as well.
• Use a stronger database root password to make it difficult to crack.
• Remove unfamiliar or suspicious accounts that the malware might have created.
• Enable IP and account access protection to avoid brute force attacks.
• Disable SSH and Telnet connections if these services are not being used.
• Disable Web Server, SQL server, or the phpMyAdmin app as well.
• Remove faulty, unknown, or suspicious apps.
• Do not default port numbers, including 22, 443, 80, 8080, and 8081.
• Turn off Auto Router Configuration and Publish Services.
• Restrict Access Control in myQNAPcloud.

The steps above should prevent your QNAP devices from being the target of these attacks. Being infected by QSnatch does not only put your credentials at risk of being stolen, all your data will also be deleted as you reformat the NAS drive to remove the malware. So to prevent this from happening, make sure to implement strict security measures on your drive before it’s too late.