NOTROBIN Malware Overview
This report explains NOTROBIN, a backdoor trojan that exploits the highly-publicized Citrix vulnerability known as CVE-2019-19781.
NOTROBIN isn’t the first bit of malware to exploit this Citrix vulnerability, but it has unique features and an infection pattern that’s noteworthy. The malware itself is very similar to some other Linux/UNIX infections. It uses a command string to begin compromising the desired host.
CVE-2019-19781 is a weakness caused by an inability for the affected Citrix products to handle specified web requests leading to the execution of remote code or a possible directory traversal event. There’s a decent chance that successful exploitation of this vulnerability would result in a bad actor gaining access to internal network resources.
Vulnerabilities like this one are often used by bad actors to gain initial access to the network before using other methods to move laterally in the environment. The affected software versions are listed below.
Affected Software Versions:
- Citrix ADC and Citrix Gateway version 13.0 all supported builds
- Citrix ADC and NetScaler Gateway version 12.1 all supported builds
- Citrix ADC and NetScaler Gateway version 12.0 all supported builds
- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
Please see our previous threat report on CVE-2019-19781 for more context.
Tactics, Techniques, and Procedures
The NOTROBIN malware operates by performing a POST request to the desired target which originates from a TOR node. The request targets a vulnerable script on the host called newbm.pl which triggers a series of commands being injected into the device.
It’s unclear how the NOTROBIN malware moves from the POST request to a state of command injection, but it’s clear that the vulnerable newbm.pl script is involved.
The command injection phase starts with the killing of the netscalerd process; a process often abused by cryptocurrency miners. It then creates a directory called /tmp/.init which serves as a place for the malware to be staged. After the creation of the directory, it downloads the NOTROBIN backdoor and executes it. Persistence is achieved through a cronjob ensuring that a copy of the malware is always available.
Keep in mind that NOTROBIN only runs from the /var/nstmp/.nscache/httpd directory and copies itself to that location if need be.
NOTROBIN itself is built to ensure no other threat actors interact too much with an already-compromised box. Shutting down the netscalerd process likely prevents most crypto currency miners from infecting a host compromised by this threat actor.
The backdoor also deletes existing exploits from any newly infected host singling out the /netscaler/portal/scripts/ directory where most exploits hide.
The backdoor opens a port for communication with the bad actor using UDP port 18634. There’s a strong possibility that this backdoor is built for future campaigns such as launching distributed denial of services (DDOS) attacks.
This attack could result in the “mitigation” of a vulnerability through malicious means with potential for the following:
- A wider compromise of network infrastructure and system components
- Network abuse through DOS/DDOS attacks
- The blacklisting of one of your public IP addresses
- Highly Encouraged: Download and install the patch for this vulnerability
- See Citrix Patch links below which have been labelled for your convenience
- If you can’t patch such devices at this time, consider running the mitigation steps (see the Mitigation Commands link)
- For Consideration: Implement preemptive blocks using the IOC list found in the FireEye blog post linked below
Note: There is a compromise scanner which may help detect any successful penetration of your Citrix infrastructure. It’s not built to specifically address the NOTROBIN trojan, but it can help detect compromises due to CVE-2019-19781.
- Monitor for network traffic over UDP port 18634
- Monitor for any changes to your edge Citrix devices such as file changes, new files, new folders, and permission changes
- FireEye Blog Post
- CVE-2019-19781 Compromise Scanner
- Citrix Advisory Links:
- Citrix Patch Links:
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.