Stubborn Malware Targets QNAP NAS Hardware Specifically

qsnatch nas qnap storage malware

QNAP Systems says there is no known way to remove the Qsnatch malware infecting its NAS devices besides a full factory reset.


Top-selling network attached storage devices (NAS) made by QNAP Systems are being singled out by attackers, who have crafted malware specifically designed for the vendor’s hardware. Researchers at the Finland’s National Cyber Security Centre (NCSC-FI) reported the targeted attacks late last month, dubbing the malware QSnatch.

Once infected, hackers can access the NAS devices and retrieve all related usernames and passwords, sending them to a command-and-control (C2) server, said NCSC-FI.

“The malware has modular capacity to load new features from the C2 servers for further activities,” wrote researchers. “Firmware updates are prevented via overwriting update sources completely… [A] QNAP MalwareRemover App is prevented from being run… [And] firmware updates are prevented via overwriting update sources completely.”

The malware is particularly nasty, with QNAP reporting in its advisory there is no way to remove the it, and that it “is currently working on a removal solution and will update this advisory once it is publicly available.”

UPDATE: On November 7, QNAP released a public statement and a security bulletin regarding the issue stating:

“QNAP has updated its Malware Remover app for the QTS operating system on November 1 to detect and remove the malware from QNAP NAS. QNAP also released an updated security advisory on November 2 to address the issue. Users are urged to install the latest version of the Malware Remover app from QTS App Center or by manual downloading from the QNAP website. QNAP also recommends a series of actions for QNAP NAS security enhancements.”

It’s unclear how QSnatch spreads, however the post-infection phase includes malicious code injected into the QNAP NAS firmware. The code is then run as “part of the normal operations within the device,” according to the report, posted last week.

Next, the attackers use domain generation algorithms to retrieve addition malware from command-and-control servers using the “HTTP GET https://<generated-address>/qnap_firmware.xml?=t<timestamp>” command.

“Any organization that has fallen victim to this infection must proactively begin to look for credential misuse,” wrote Bob Noel, vice president of strategic partnerships at Plixer, in an emailed comment. “Bad actors who have stolen valid credentials will use them to try to gain access to other resources. As a best practice, network traffic analysis should be implemented within the organization.”

According to the Qnap advisory, the affected NAS devices include:

  • QNAP NAS devices with QTS 4.2.6 build 20181227,
  • QTS 4.3.3 build 20190102
  • QTS 4.3.4 build 20190102
  • QTS 4.3.6 build 20181228 and earlier versions

The manufacturer is urging customers to manually update NAS firmware to the latest version. However, it warns that if a customer is already infected, “updating QTS and all NAS applications may not completely remove the malware.”

It’s unclear how many QNAP NAS devices may be infected with QSnatch. According to a tweet by the German Computer Emergency Response Team on Thursday, 7,000 infections have  been reported.

QNAP Systems hardware are no strangers to being attack targets. Threatpost reported in July that an unusual Linux ransomware, called QNAPCrypt, targeted QNAP NAS servers. The year before that, researchers found multiple bugs in QNAP’s Q’Center Web Console. In 2014, a worm exploiting the Bash vulnerability in QNAP network attached storage devices was also discovered.

(This article was updated 3pm Nov. 4 at 3:12 pm ET to delete advice from researchers to factory reset QNAP Systems as a mitigation technique. The article was updated on Nov. 8 to include an official response from the vendor QNAP.)  

Suggested articles