28 July 2020

QSnatch operators stole data from over 62,000 QNAP network storages


QSnatch operators stole data from over 62,000 QNAP network storages

US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) issued a joint warning of an ongoing malware campaign targeting Taiwanese company QNAP's network-attached storage (NAS) appliances.

The QSnatch (or Derek) malware is used to steal data and has so far compromised about 62,000 devices. Most victims of the malware threat are located in Western Europe and North America.

“All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes. Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates”, — agencies said in the alert.

The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019. The two campaigns are distinguished by the initial payload used as well as some differences in capabilities.

The latest version of QSnatch has a wide range of features including:

  • CGI password logger: installs a fake version of the device admin login page, logging successful authentications and passing them to the legitimate login page;

  • Credential scraper;

  • SSH backdoor: allows to execute arbitrary code on a device;

  • Exfiltration: QSnatch steals a predetermined list of files, which includes system configurations and log files. These are encrypted with the actor’s public key and sent to their infrastructure over HTTPS;

  • Webshell functionality for remote access.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024