AA20-209A Potential Legacy Risk from Malware Targeting QNAP NAS Devices
Indicators
This alert pertains to a strain of malware known as QSnatch, which attackers used in November, 2019 to target QNAP Network Attached Storage (NAS) devices.
QNAP Systems, Inc. is a Taiwanese corporation that specializes in Network Attached Storage appliances used for file sharing, virtualization, storage management and surveillance applications.
As investigated by United States Cyber-security and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC), and also confirmed by the manufacturer's security advisory [Release date: November 1, 2019 Security ID: NAS-201911-01, Severity: High], all QNAP NAS devices are potentially vulnerable to QSnatch malware attacks and the QTS firmware need to be updated to the latest versions. As documented in open-source reports, this relatively sophisticated malware has infected thousands of devices worldwide with a particularly high number of infections noted in North America and Europe.
QSnatch malware injects code into the firmware of QNAP NAS box. Once infected, the NAS box then may initiate a connection to a command-and-control (C2) server for a download of additional code onto a compromised device.
QSnatch malware contains multiple functionalities, such as:
• CGI password logger
• Credential scraper
• SSH backdoor (to execute arbitrary code on a device)
• Exfiltration (steals a predetermined list of files, including system configurations and log files)
• Webshell functionality for remote access
Once a device has been infected, the QSnatch malware prevents administrators from successfully running firmware updates by modifying the system host’s file and redirecting core domain names used by the NAS to local out-of-date versions, so the installation of updates can never be completed and a NAS device may need to go through full factory reset first.
For additional details about this activity, to include mitigation recommendations, please see Activity Alert "AA20-209A Potential Legacy Risk from Malware Targeting QNAP NAS Devices".
//node() | //@*
DISCLAIMER: This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is distributed as TLP:WHITE: Disclosure is not limited. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.
2020-07-22T00:00:00
Malicious File Indicator
File Hash Watchlist
MD5
750B9BEFE44F5C4D5847E57D085E893D
SHA1
6C53DC64C7DF210A04B30B3B0A908F75CEB9761D
SHA256
6E0F793025537EDF285C5749B3FCD83A689DB0F1C697ABE70561399938380F89
Malicious File Indicator
File Hash Watchlist
MD5
B8AF55398A30165E01BBE245E67C73BB
SHA1
554C1A1F9E21D79A9AB370377F3F729588A090A0
SHA256
845759BB54B992A6ABCBCA4AF9662E94794B8D7C87063387B05034CE779F7D52
Malicious File Indicator
File Hash Watchlist
MD5
63C93223CDAF3520B357FBA6854A6460
SHA1
8E75190F25D4577BC677E33FD2C1B2577251321F
SHA256
3615F0019E9A64A78CCB57FAA99380DB0B36146EC62DF768361BCA2D9A5C27F2
Malicious File Indicator
File Hash Watchlist
MD5
3D684E681F80DFAD9449F2CA2885A7D6
SHA1
E191009EEB9DF176FFF3176407361C97DE8DDF4A
SHA256
13F3EA4783A6C8D5EC0B0D342DCDD0DE668694B9C1B533CE640AE4571FDBF63C
Malicious File Indicator
File Hash Watchlist
MD5
4BC98571BDF2CEBF34EAC03032F7BCD2
SHA1
F7ADFAB4AF32B34DBE41096EF710058EF1A8A08B
SHA256
3CB052A7DA6CDA9609C32B5BAFA11B76C2BB0F74B61277FECF464D3C0BAEAC0E
Malicious File Indicator
File Hash Watchlist
MD5
421240952A097E904DF778590CAA9668
SHA1
58523DE660632C6B84FFBD243CC75F4FB576980A
SHA256
15892206207FDEF1A60AF17684EA18BCAA5434A1C7BDCA55F460BB69ABEC0BDC
Malicious File Indicator
File Hash Watchlist
MD5
421F006756F72CABC1FFB796C6CDB5C0
SHA1
5CA92D6F02019519DE593758583D7CA5A4BF9F23
SHA256
5130282CDB4E371B5B9257E6C992FB7C11243B2511A6D4185EAFC0FAA0E0A3A6
Malicious File Indicator
File Hash Watchlist
MD5
C49AC8CFE022FF6ACB8EB0036E2FC1A1
SHA1
E30CE38FF0CE46D8256D06FB3D5E13BF3ABB1012
SHA256
5CB5DCE0A1E03FC4D3FFC831E4A356BCE80E928423B374FC80EE997E7C62D3F8
Malicious File Indicator
File Hash Watchlist
MD5
FF3EE75347EC9B5BA3BA2E7BCD4B1A0F
SHA1
4177AF9F67DBE00A79BFFF9368C5D2528292D87C
SHA256
62426146B8FCAEAF6ABB24D42543C6374B5F51E06C32206CCB9042350B832EA8
Malicious File Indicator
File Hash Watchlist
MD5
A12CA604FD3CE081B09A3AF84D3E985B
SHA1
B97DA9027D3FAB23EB1CA8253CC455818B1AF653
SHA256
A9364F3FAFFA71ACB51B7035738CBD5E7438721B9D2BE120E46B5FD3B23C6C18
Malicious File Indicator
File Hash Watchlist
MD5
512D654525D2AA85BAF6D7AA06A3A768
SHA1
4134313F0E6A514EFE2B60AB6EDB6D5E945E8B85
SHA256
A569332B52D484F40B910F2F0763B13C085C7D93DCDC7FEA0AEB3A3E3366BA5D
Malicious File Indicator
File Hash Watchlist
MD5
77A14377175352372C2F1F2B4CE468AE
SHA1
2909BFE9D37F40EF9093EF35EF5D8416ADE311A5
SHA256
9791C5F567838F1705BD46E880E38E21E9F3400C353C2BF55A9FA9F130F3F077
Malicious File Indicator
File Hash Watchlist
MD5
47FE049D212305B41451C06BCF1C2E22
SHA1
66D458525B95D5CF387D98DB6F0258B838FE4308
SHA256
18A4F2E7847A2C4E3C9A949CC610044BDE319184EF1F4D23A8053E5087AB641B
Malicious File Indicator
File Hash Watchlist
MD5
C01BA0BF9758173915C037B069265DD7
SHA1
C9D08A95BC51A94ACBFA4F1026DB6978FB67EE2D
SHA256
FA3C2F8E3309EE67E7684ABC6602EEA0D1D18D5D799A266209CE594947269346
Malicious File Indicator
File Hash Watchlist
MD5
CDAA3D0597936D9EDD5112B855D65545
SHA1
A71E75443BF9BFF593B8F8EF679EEE38E3B4162C
SHA256
4B514278A3AD03F5EFB9488F41585458C7D42D0028E48F6E45C944047F3A15E9
Malicious File Indicator
File Hash Watchlist
MD5
60567A1D2B2E02E93FFC162E6A70D60C
SHA1
1F1BF0BD2DF89029D5267130F014AB5AA133C3AE
SHA256
9526CCDEB9BF7CFD9B34D290BDB49AB6A6ACEFC17BFF0E85D9EBB46CCA8B9DC2
Malicious File Indicator
File Hash Watchlist
MD5
DD461A43047DE9CC3D85AEBA6383E58E
SHA1
9D76D3AA7A956BA29772C0F0AEA7FE45AB32829E
SHA256
55B5671876F463F2F75DB423B188A1D478A466C5E68E6F9D4F340396F6558B9F
Malicious File Indicator
File Hash Watchlist
MD5
41E6304F7A8EFE9CA1562B290749B54A
SHA1
7A1704CF5CC27067CCA5632C7DAB683492C616B4
SHA256
473C5DF2617CEE5A1F73880C2D66AD9668EEB2E6C0C86A2E9E33757976391D1A
Malicious File Indicator
File Hash Watchlist
MD5
4AFFA116B27F2D977A756E353F77B8F5
SHA1
E8BB081056542504B5A69BD5F202CF77FAC0A64F
SHA256
8FD16E639F99CDAA7A2B730FC9AF34A203C41FB353EAA250A536A09CAF78253B
Malicious File Indicator
File Hash Watchlist
MD5
372140D7C2C68DC2C8DC137D1A471E9F
SHA1
986F38A04937EDE2000E8F25E59EA438EE265E24
SHA256
3C38E7BB004B000BD90AD94446437096F46140292A138BFC9F7E44DC136BAC8D
Malicious File Indicator
File Hash Watchlist
MD5
8CEE2A187198648C199C1D135C918A3A
SHA1
A9F39F3B832344A79D32D92AC56C50CDAFF0B93C
SHA256
09AB3031796BEA1B8B79FCFD2B86DAC8F38B1F95F0FCE6BD2590361F6DCD6764