StealthWorker botnet targets Synology NAS machines with ransomware

Synology, a Taiwanese company, has issued a warning to clients citing that the StealthWorker botnet is executing brute-force attacks in order to attack machines with ransomware.


Once the device is infected, threat actors use it as part of a botnet that targeted Linux systems, including Synology NAS.


The vendor published a security advisory:


Synology PSIRT (Product Security Incident Response Team) has recently seen and received reports on an increase in brute-force attacks against Synology devices. Synology’s security researchers believe the botnet is primarily driven by a malware family called “StealthWorker.” At present, Synology PSIRT has seen no indication of the malware exploiting any software vulnerabilities.

These attacks leverage a number of already infected devices to try and guess common administrative credentials, and if successful, will access the system to install its malicious payload, which may include ransomware.



The vendor has shared its findings with relevant CERTs and is collaborating with them to remove the malware’s C&C (command and control) infrastructure. Customers who are affected are also being notified by Synology.


Customers should enable multi-factor authentication if possible, enable auto block and account protection, and use string administrator credentials, according to the Taiwanese corporation.


System administrators should contact Synology technical support if they detect suspicious behaviour on their devices.


The Stealthworker botnet was first discovered in June 2020 by Akamai researchers.


It is a Golang-based malicious code that targets Windows and Linux servers running popular web services and platforms such as (cPanel / WHM, WordPress, Drupal, Joomla, OpenCart, Magento, MySQL, PostgreSQL, Brixt, SSH, and FTP).


The Stealthworker malware’s operators use infected hosts to perform brute-force attacks on other systems.



You might also like:

GIGABYTE ransomware attack: RasomEXX gang stole 112GB of data

Angry Conti ransomware affiliate reveals gang’s playbook

DarkSide ransomware gang is back as BlackMatter operation

PwnedPiper flaws in PTS systems affect major US hospitals