Dovecat Attributed by QNAP for Targeting Its NAS devices

Vishal  |  Jan 25, 2021

QNAP, one of the leading manufacturers of NAS devices, has yet again surfed under the radar of a crypto-malware intrusion. However, this time around, it has raised grave concern for their users despite getting victimized from 'Dovecat,' a Crypto-mining malware strain, discovered in the recent past. The malware strain primarily targets its line of Network-Attached Storage (NAS) devices by leveraging the system resources to mine Bitcoin without users' consent. QNAP did roll out an official notification to its clients for remaining vigilant against any possible system abnormal processes in their NAS devices while protecting them from getting infected.

"According to analysis, QNAP NAS can become infected when they are connected to the Internet with weak user passwords," QNAP says.

Matthew Ruffell, the founder of Dapper Linux, identified this malware strain for the first time while conducting a threat analysis. And successfully confirmed the presence of odd processes running in the background to exploit system resources. Finding on an Ubuntu system, the Canonical software engineer meticulously analyzed the malware's nature last year. As per his final reports, the malware strain has the potential to infect any Linux-based system, but it is dedicated design to matching the QNAP NAS device's internal structure.

It processes using high amounts of CPU and memory resources and runs from the /tmp directory which doesn't seem to match any other services the system was running, besides there are files also in the /tmp directory owned by the service which is running the "dovecat" process in the background. All of that raises several red flags.

"Is the dovecat executable itself in /tmp? Are the files in /tmp configuration, or more malware?" 

As there are no legit programs to place the same files in /tmp other than temporary storage. Therefore the malware only uses /tmp since any user can write there.

The problem became much more prolific in the last three months since many users started reporting this malware campaign. Even some of the QNAP clients complain that their devices become unusable and rendered after getting affected once. In fact, with cryptocurrency gaining traction lately has eventually risen the infection of crypto-mining malware by 53% in the fourth quarter of last year.

Dovecat targeted QNAP NAS

Synology, another NAS provider, has not yet reported any advisory. However, some clients made a complaint about similar issues. Although, it isn't something unprecedented for QNAP devices. The team of QNAP has projected this attack as a priority for creating the removal solution for malware.

"These actions can further enhance NAS security and make it harder for dovecat to enter your QNAP NAS," the advisory adds."The QNAP PSIRT has made it a priority to develop a solution that will remove dovecat from infected devices."

Dovecat Crypto-Mining Malware

Users with weak password securities on their QNAP NAS device are prone to get affected by this malware strain. The program is called 'Dovecat' because it tries to pass through the users' system as Dovecot, a validated email daemon for Linux systems.

Responding to the problem, QNAP has also provided detailed best practices to reduce the overall risk of getting infected. It comprises updating QTS to the latest version from installing a firewall to prevent default port numbers from following the best practices.

Users of QNAP noticed that something was not perfect with the NAS gadget when they spotted two operational procedures going on - Dovecat and dedpma, which are continually running in the background and consuming huge resources. The firm has published a support post back in November confirming that two procedure linked with Bitcoin running malware.

Preliminary Steps Against Malware Attacks

The firm asks users to take some steps for defending infections - 

  • Updating QTS to the latest version
  • Install the security counselor and run with Intermediate security policy
  • Equip a firewall
  • Install the malware remover version
  • Use robust passwords for admins
  • Use robust database administrators passwords
  • Allows network access protection for securing accounts from attacks like brute force
  • Prevent use of default port numbers
  • Disable SSH and Telnet services if it is not useful
  • Disable unused services and applications
  • Given this malware infection, QNAP  advised its clients to comply with the best practices to enhance their NAS device's security. For blocking future attacks or any malware infections affecting their devices, users must remove all suspicious or unknown accounts and apps from their NAS systems. Changing passwords for all accounts and updating QTS and its apps to the latest versions must help avoid attacks.

    Related News