Recently, a significant security breach involving Feiniu (fnOS) Network Attached Storage devices has surfaced This article explores devices botnet army. . The Netdragon botnet, a malware strain that initially surfaced in October 2024, is actively targeting and infecting these systems.

The attackers are inserting malicious code by taking advantage of unreported security flaws in the fnOS platform. This campaign is an attempt to compromise storage infrastructure with a specific focus, targeting high-value hardware instead of just random infections. The infection uses the NAS devices' exposed services to set up an HTTP backdoor interface. Once inside, the attackers install a modular malware system that includes a DDoS attack component and a loader.

With this configuration, they can remotely carry out arbitrary commands and enlist the devices in a botnet army.

Large-scale denial-of-service attacks are subsequently launched against a variety of targets using the compromised units. Data security is at serious and irreversible risk because the malware was found to be erasing a crucial private key file, rsa_private_key.pem, from the devices. As the investigation went on, analysts from Qi An Xin X Lab discovered that by the end of January, the campaign had successfully infected about 1,500 devices.

Qi An Xin X Lab is the source of Global Hawk Asset Mapping. According to their data, the victims are spread out geographically, with notable concentrations in Singapore, China, and the US. The impacted organizations come from a variety of sectors, such as public administration and software services. Defense Evasion Mechanisms and Persistence The aggressive persistence and evasion strategies used by the Netdragon malware to stay in control set it apart.

By developing kernel modules in the kernel space and systemd services in the user space, it creates a strong dual foothold. This redundancy makes sure that the malware survives a system reboot even if a user finds and eliminates one of its components. The malware deliberately interferes with the device's ability to be maintained in order to strengthen its hold.

By altering the system's hosts file, it takes control of the official update domain and changes it to 0.0.0.0, preventing the NAS from installing security updates or performing system upgrades. Netdragon uses dynamic key packing to obfuscate its code in order to avoid detection by administrators, which makes analysis more difficult. By erasing system logs and tampering with process lists to hide its active tasks, it also conceals its existence.

In order to conceal the spike in traffic during active attacks, it specifically interferes with network monitoring tools. Trends in NetDragon attacks (Source: Qi An Xin X Lab) Because standard updates are disabled, recovering from this infection necessitates careful manual intervention. In order to prevent removal attempts, users should first delete any manipulated firewall rules from nft and iptables that the malware injected.

The user-mode service dockers.service and the malicious kernel module async_memcpys.ko must be found and removed. Administrators must also fix the hosts file to restore the system's update path and keep an eye out for the backdoor port 57199 to stop reinfection. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.