Threat Watch

New Crypto-Miner ‘OOM_REAPER’ Targeting QNAP Network-Attached Storage (NAS) Devices

QNAP, a Taiwan-based hardware and software services vendor, published a security advisory warning of a new crypto-mining malware variant that is targeting client network-attached storage (NAS) devices. While the advisory did not contain any information about how the malware gains a foothold on infected systems, the advisory notes that the crypto-miner has been observed as a process named “oom_reaper” with a process ID (PID) greater than 1000. This high PID number is atypical for kernel processes. The malware may take up to 50% of total CPU usage on infected devices. In late 2020 and early 2021, QNAP NAS devices were targeted by the Dovecat crypto-miner, as well as the credential theft botnet, Qsnatch.


QNAP advises updating to the latest version of QNAP QTS and QNAP QuTS in order to resolve this vulnerability. In some cases, simply restarting the NAS may remove the active crypto miner. There is also a Malware Remover tool available via the App Center in the QTS portal, which will need to be updated before being deployed effectively. Users are recommended to not use common system port numbers of 443 or 8080 in order to avoid common crypto-miner attacks (the port numbers can also be changed via QTS). In general, using appropriately strong passwords or pass phrases, multi-factor authentication (MFA) where feasible, and configuring networks to make sure there is no exposure of NAS devices to the Internet are all highly recommended.