SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.qsnatch (Back to overview)

QSnatch


The malware infects QNAP NAS devices, is persisting via various mechanisms and resists cleaning by preventing firmware updates and interfering with QNAP MalwareRemover. The malware steals passwords and hashes

References
2020-07-27CISANCSC UK, CISA
@online{uk:20200727:alert:31c9b38, author = {NCSC UK and CISA}, title = {{Alert (AA20-209A): Potential Legacy Risk from Malware Targeting QNAP NAS Devices}}, date = {2020-07-27}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-209a}, language = {English}, urldate = {2020-07-30} } Alert (AA20-209A): Potential Legacy Risk from Malware Targeting QNAP NAS Devices
QSnatch
2020-07-27NCSC UKNCSC UK, CISA
@techreport{uk:20200727:alert:de33046, author = {NCSC UK and CISA}, title = {{Alert: Potential legacy risk from malware targeting QNAP NAS devices}}, date = {2020-07-27}, institution = {NCSC UK}, url = {https://www.ncsc.gov.uk/files/NCSC%20CISA%20Alert%20-QNAP%20NAS%20Devices.pdf}, language = {English}, urldate = {2020-07-30} } Alert: Potential legacy risk from malware targeting QNAP NAS devices
QSnatch
2019-11-12Johannes Bader BlogJohannes Bader
@online{bader:20191112:dga:0a1d2c8, author = {Johannes Bader}, title = {{The DGA of QSnatch}}, date = {2019-11-12}, organization = {Johannes Bader Blog}, url = {https://bin.re/blog/the-dga-of-qsnatch/}, language = {English}, urldate = {2020-01-13} } The DGA of QSnatch
QSnatch
2019-10-25Finnish Transport & Communications AgencyFinnish Transport & Communications Agency
@online{agency:20191025:qsnatch:9631c95, author = {Finnish Transport & Communications Agency}, title = {{QSnatch - Malware designed for QNAP NAS devices}}, date = {2019-10-25}, organization = {Finnish Transport & Communications Agency}, url = {https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices}, language = {English}, urldate = {2020-01-10} } QSnatch - Malware designed for QNAP NAS devices
QSnatch
Yara Rules
[TLP:WHITE] elf_qsnatch_w0 (20191113 | Detects QSnatch shell scripts)
/*
    based on these samples:
      - 09ab3031796bea1b8b79fcfd2b86dac8f38b1f95f0fce6bd2590361f6dcd6764
      - 5cb5dce0a1e03fc4d3ffc831e4a356bce80e928423b374fc80ee997e7c62d3f8
      - 8fd16e639f99cdaa7a2b730fc9af34a203c41fb353eaa250a536a09caf78253b
      - 9526ccdeb9bf7cfd9b34d290bdb49ab6a6acefc17bff0e85d9ebb46cca8b9dc2
      - 3c38e7bb004b000bd90ad94446437096f46140292a138bfc9f7e44dc136bac8d
      - 5130282cdb4e371b5b9257e6c992fb7c11243b2511a6d4185eafc0faa0e0a3a6
      - 15892206207fdef1a60af17684ea18bcaa5434a1c7bdca55f460bb69abec0bdc
*/
rule elf_qsnatch_w0 {
    meta:
        author = "Johannes Bader mail@johannesbader.ch"
        date = "2019-11-13"
        description = "Detects QSnatch shell scripts"
        
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.qsnatch"
        malpedia_version = "20191113"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $shebang = "#!/bin/sh"

        $pat_url = "https://${host}.${ext}/qnap_firmware.xml?t=$(date +%s)"
        $pat_public_key = "DNnpDGbq632Bs8ESd3ueHk9OY/UZxWeN3UdbseFxK35XAgMBAAE="
        $pat_decrypt_key = "7C0vK4SzMO15zBxLD7XCi5hbjgP1ZjkJ"

    condition:
        $shebang at 0 
        and any of ($pat_*) 
        and filesize < 200KB

}
Download all Yara Rules