This report explains NOTROBIN, a backdoor trojan that exploits the highly-publicized Citrix vulnerability known as CVE-2019-19781.
NOTROBIN isn’t the first bit of malware to exploit this Citrix vulnerability, but it has unique features and an infection pattern that’s noteworthy. The malware itself is very similar to some other Linux/UNIX infections. It uses a command string to begin compromising the desired host.
CVE-2019-19781 is a weakness caused by an inability for the affected Citrix products to handle specified web requests leading to the execution of remote code or a possible directory traversal event. There’s a decent chance that successful exploitation of this vulnerability would result in a bad actor gaining access to internal network resources.
Vulnerabilities like this one are often used by bad actors to gain initial access to the network before using other methods to move laterally in the environment. The affected software versions are listed below.
Affected Software Versions:
Please see our previous threat report on CVE-2019-19781 for more context.
The NOTROBIN malware operates by performing a POST request to the desired target which originates from a TOR node. The request targets a vulnerable script on the host called newbm.pl which triggers a series of commands being injected into the device.
It’s unclear how the NOTROBIN malware moves from the POST request to a state of command injection, but it’s clear that the vulnerable newbm.pl script is involved.
The command injection phase starts with the killing of the netscalerd process; a process often abused by cryptocurrency miners. It then creates a directory called /tmp/.init which serves as a place for the malware to be staged. After the creation of the directory, it downloads the NOTROBIN backdoor and executes it. Persistence is achieved through a cronjob ensuring that a copy of the malware is always available.
Keep in mind that NOTROBIN only runs from the /var/nstmp/.nscache/httpd directory and copies itself to that location if need be.
NOTROBIN itself is built to ensure no other threat actors interact too much with an already-compromised box. Shutting down the netscalerd process likely prevents most cryptocurrency miners from infecting a host compromised by this threat actor.
The backdoor also deletes existing exploits from any newly infected host singling out the /netscaler/portal/scripts/ directory where most exploits hide.
The backdoor opens a port for communication with the bad actor using UDP port 18634. There’s a strong possibility that this backdoor is built for future campaigns such as launching distributed denial of services (DDOS) attacks.
This attack could result in the “mitigation” of a vulnerability through malicious means with potential for the following:
Note: There is a compromise scanner which may help detect any successful penetration of your Citrix infrastructure. It’s not built to specifically address the NOTROBIN trojan, but it can help detect compromises due to CVE-2019-19781.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.