A new large-scale campaign is actively targeting Feiniu (fnOS) NAS devices, exploiting undisclosed vulnerabilities to compromise storage infrastructure. Unlike random IoT malware infections, this campaign specifically focuses on high-value hardware targets, allowing attackers to gain remote control and use these devices for malicious purposes.
By the end of January, analysts at Qi An Xin X Lab reported that approximately 1,500 NAS devices had been infected globally, including systems in China, the United States, and Singapore, spanning multiple industries such as software services and public administration.
This article explores:
- How the Netdragon botnet compromises NAS devices
- Technical details of malware persistence and evasion
- Risks to data security and enterprise networks
- Mitigation and recovery strategies
How Netdragon Compromises NAS Devices
Exploitation of Unpatched Vulnerabilities
- Attackers exploit undisclosed security flaws in fnOS to gain entry
- Deploy an HTTP backdoor interface once access is achieved
- Install a modular malware system including:
- Loader component for control
- DDoS attack module to participate in botnet operations
This setup allows attackers to execute arbitrary commands remotely, effectively conscripting compromised NAS devices into a botnet army.
Impact on Device Integrity
- Malware deletes critical files, notably rsa_private_key.pem, risking permanent data loss
- Devices are used to launch large-scale denial-of-service (DDoS) attacks
- Infection disrupts routine device maintenance, blocking system updates
Persistence and Evasion Mechanisms
Netdragon malware is highly sophisticated, employing multiple methods to remain undetected:
- Dual Foothold
- User-space systemd services
- Kernel-space kernel modules (async_memcpys.ko)
- Redundancy ensures malware survives device reboots
- Sabotaging Updates
- Modifies the hosts file to redirect update domains to
0.0.0.0 - Prevents security patches from being applied
- Modifies the hosts file to redirect update domains to
- Obfuscation & Concealment
- Uses dynamic key packing to hide code
- Deletes system logs and manipulates process lists
- Interferes with network monitoring tools to mask abnormal traffic
Infection Propagation
- Exploits exposed services on NAS devices
- Backdoor listens on port 57199 for attacker commands
- Malware ensures exclusive control by disabling competing malware
Mitigation and Recovery Strategies
Recovering from a Netdragon infection is complex due to disabled updates and active persistence mechanisms. Recommended steps include:
- Manual Malware Removal
- Delete kernel module
async_memcpys.ko - Remove user-mode service
dockers.service
- Delete kernel module
- Restore System Functionality
- Repair the hosts file to restore update paths
- Remove malicious firewall rules from nftables/iptables
- Network Monitoring & Hardening
- Monitor for activity on backdoor port 57199
- Segment NAS devices from critical enterprise networks
- Apply security patches as soon as they become available
- Preventive Measures
- Regular firmware updates
- Restrict exposed services to internal networks only
- Conduct periodic vulnerability assessments
Why This Matters
This campaign demonstrates how attackers are shifting from generic malware infections to highly targeted attacks against enterprise storage devices. The Netdragon botnet not only compromises NAS devices for DDoS operations but also threatens permanent data loss and system compromise due to its aggressive persistence and sabotage techniques.
Key takeaways for organizations:
- Ensure NAS devices are patched and monitored continuously
- Disable unnecessary exposed services
- Implement network segmentation and robust monitoring to detect abnormal traffic
- Have a detailed recovery plan in place for infected devices
Proactive defenses and timely remediation are critical to prevent NAS devices from becoming part of large-scale botnet operations.
