QSnatch Malware infects QNAP NAS drives

[German]A malware called QSnatch targets network storage from the manufacturer QNAP. The manufacturer offers a firmware update to protect against this malware.


Manufacturer QNAP had already published this security warning about the QSnatch malware on November 1, 2019. The National Cyber Security Center Finland (NCSC-FI) had received reports of infected devices attempting to communicate with certain Command and Control (C2) servers via the Autoreporter service in mid-October 2019.

Then last week the Cyber Emergency Response Team (CERT) of the Finnish Transport and Communications Agency (NCSC-FI) issued a warning about a new malware. The malware that infects QNAP's Network Attached Storages (NAS) was discovered during an analysis and named QSnatch. An analysis of the malware revealed the following actions:

  • Operating system timed jobs and scripts are modified (cronjob, init scripts)
  • Firmware updates are prevented via overwriting update sources completely
  • QNAP MalwareRemover App is prevented from being run
  • All usernames and passwords related to the device are retrieved and sent to the C2 server
  • The malware has modular capacity to load new features from the C2 servers for further activities
  • Call-home activity to the C2 servers is set to run with set intervals

The malware modifies the firmware of infected QNAP devices to remain persistent. Firmware updates of the device are deactivated. The infection vector is still unknown.

Recommendations of the manufacturer

On the basis of previous findings, the manufacturer QNAP gives its users the following recommendations for action:

  1. Update QTS to the latest version.
  2. Install and update Security Counselor to the latest version.
  3. Install and update Malware Remover to the latest version.
  4. Use a stronger admin password.
  5. Enable IP and account access protection to prevent brute force attacks.
  6. Disable SSH and Telnet connections if you are not using these services.
  7. Avoid using default port numbers 443 and 8080.

Currently it is unclear if updating the firmware will really help against the QSnatch malware. In July 2019 there was already a warning against Ransomware infection (see Ransomware addressing QNAP-/Synology NAS systems). There, recommendations for action similar to those in the above list were given. 


German CERT-Bundwrites in the above tweet that on the basis of collected data, approximately 7,000 NAS devices are already affected in Germany. 

System infected? Remedial measures

If a QNAP system is infected by the malware, a complete reset of the device to the factory settings will help. To check whether the QNAP device is infected, you can run the latest version of the Malware Remover software. On infected systems, it may not be possible to install the Malware Remover. At German site heise a user has posted a how to on how to manually check the system for an infection posted in this comment. Further details may bef ound at finnishCERT, at the QNAP security advisory and at Bleeping Computer.

Similar articles:
Ransomware addressing QNAP-/Synology NAS systems
QNAP fixes critical NAS bug that may causes data loss
Multiple Vulnerabilities in Synology NAS systems

Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *