Your Seagate Central NAS could be hosting mining malware

If you have discovered cryptocurrency mining malware on your system, have removed it, and got compromised again without an idea about how it happened, it could be that the source of the infection is the Seagate Central NAS sitting on your network.

Seagate Central NAS

The malware

Sophos researchers recently analyzed a newer version of a malware that’s set on mining the Monero (XMR), a new digital cryptocurrency that is much easier to mine than Bitcoin.

Mal/Miner-C, as they’ve dubbed the threat, does not use the NAS for the mining, but as an “outpost” from which it infects various systems.

Seagate Central comes with a “public” folder, which is accessible to anyone on the same network as the device, and anyone who has a remote access account on it.

“This public folder and account cannot be deleted or deactivated,” threat researcher Attila Marosi pointed out. “The admin user has the ability to enable the device for remote access or turn this feature off entirely. But, if the device is enabled for remote access, all the accounts will be available on the device, including the anonymous user. In this state, your device is open for anyone to write to your public folder.”

The attackers who wield this malware take advantage of this fact, and place into this public folder a malicious script file (Photo.scr), which was made to use the standard Windows folder icon. A curious user that tries to access the “folder” will trigger the installation of the miner on his or her system.

How widespread is it?

The researchers decided to see how widespread the threat is, and have scanned the internet for Seagate Central NAS devices that have been “contaminated” with Mal/Miner-C.

The results are as follows: of the 207,110 active devices that allow anonymous remote access, 7,263 have write access enabled, and of these, 5,137 have the malware planted on them. The affected devices can be found in almost every corner of the world:

Contaminated Seagate Central NAS devices

“More than 70% of the servers where write access was enabled had already been found, visited and ‘borrowed’ by crooks looking for innocent-sounding repositories for their malware,” Marosi noted.

“If you’ve ever assumed that you’re too small and insignificant to be of interest to cybercriminals, and thus that getting security settings right is only really for bigger organizations, this should convince you otherwise.”

He estimates that the crooks behind this scheme earn around 428 euros ($482) per day.

Don't miss