Feiniu (fnOS) Network Attached Storage (NAS) devices are currently under a large-scale botnet attack, with the Netdragon malware exploiting unpatched vulnerabilities to infect an estimated 1,500 devices. This campaign, observed since October 2024, specifically targets storage infrastructure, moving beyond opportunistic infections to compromise high-value hardware.
The attackers gain access by exploiting exposed services on the fnOS platform, installing an HTTP backdoor to deploy a modular malware system. This system includes a loader and a Distributed Denial of Service (DDoS) attack component, enabling remote command execution and the conscription of compromised devices into a botnet. The malware has also been observed deleting critical `rsa_private_key.pem` files, posing a severe risk to data security.
Netdragon Botnet Targets Feiniu NAS Devices
A significant security incident is impacting Feiniu (fnOS) Network Attached Storage devices, with the Netdragon botnet actively exploiting unpatched vulnerabilities. According to analysis from Qi An Xin X Lab, approximately 1,500 devices had been infected by the end of January. The campaign focuses on compromising storage infrastructure, indicating a more targeted approach than random network intrusions.
The infection vector involves the exploitation of exposed services on the NAS devices, facilitating the implantation of malicious code. This ultimately leads to the establishment of an HTTP backdoor interface. Once access is secured, attackers deploy a modular malware system, comprising a loader and a DDoS attack component. This allows for remote command execution and the weaponization of the compromised devices into a botnet army.
The compromised Feiniu NAS devices are then leveraged to launch large-scale denial-of-service attacks against various targets. A particularly alarming tactic observed during the infection is the deletion of a critical private key file, `rsa_private_key.pem`, on the affected devices. This action can have permanent and severe consequences for data security and accessibility.
The geographical distribution of the compromised devices is widespread, with significant concentrations identified in China, the United States, and Singapore. Affected entities span multiple sectors, including software services and public administration, highlighting the broad reach of this attack campaign. The report indicates that the campaign’s trends suggest a continuous effort to expand its reach and capabilities.
Persistence and Defense Evasion Mechanisms
The Netdragon malware employs sophisticated persistence and defense evasion mechanisms to maintain its foothold on compromised systems. It establishes a robust dual presence by creating both user-space systemd services and kernel-space kernel modules. This redundant approach ensures that even if one component is detected and removed, the other can sustain the malware’s operation and survive system reboots.
To further entrench itself and hinder recovery efforts, the malware actively disrupts the device’s maintenance capabilities. A key tactic involves tampering with the system’s `hosts` file. By redirecting the official update domain to `0.0.0.0`, the malware effectively prevents the NAS devices from downloading essential security patches or completing system upgrades, leaving them vulnerable.
For stealth operations, Netdragon utilizes dynamic key packing to obfuscate its code, making in-depth analysis more challenging. It also actively conceals its presence by deleting system logs and manipulating process lists to hide its active tasks from administrators. During active DDoS attacks, the malware specifically interferes with network monitoring tools, masking the significant surge in network traffic generated by the botnet.
Recovering from a Netdragon infection necessitates careful manual intervention, as standard automated updates are disabled by the malware. Users and administrators must first identify and remove any manipulated firewall rules within `nft` and `iptables` that the malware injected to obstruct removal attempts. It is critical to locate and delete the malicious kernel module, identified as `async_memcpys.ko`, and the user-mode service, `dockers.service`.
Additionally, administrators are required to restore the system’s update path by correcting the `hosts` file. Ongoing monitoring for the backdoor port, commonly found at 57199, is essential to prevent reinfection. The ongoing threat posed by the Netdragon botnet underscores the critical need for timely patching and robust network security practices for all connected devices.