Miner-C, or PhotoMiner has been around since June but now it is specifically targeting Seagate Central NAS hard drives, according to Sophos. The Miner-C iterations are using a design flaw in the Seagate Central NAS devices to place a copy of itself on their public data folders.
According to Sophos, Seagate Central devices contain a public folder accessible to all users, even anonymous non-logged-in users, which can't be deactivated or deleted.
Miner-C is copying files to this public folder on all Seagate Central NAS devices it can find. One of the files it copies is called Photo.scr, a script file that malware coders have modified to use a standard Windows folder icon. Whenever the device owner accesses their NAS, they see this file as a folder, and are fooled by the fake icon.
When they try to access the folder, they're actually executing the Photo.scr file, which installs a cryptocurrency mining application on their PC.
Sophos said: "Since it generates a new initialization file when it is launched, it helps the malware avoid security solutions. It also gives the botnet operators a chance to change the payload of the threat in the future, for example, dropping ransomware to the victim's machine after the mining business is no longer profitable.”
Sophos thinks that there are more than 5,000 Seagate Central NAS devices infected – or about 70 per cent of the total.
Seagate Central owners have no way to protect their device. Turning off the remote access NAS feature can prevent the infection, but also means they lose the ability to access the device from a remote location which removes the only reason to have an NAS.