APT41 and Speculoos Overview

This report is about a known nation-state actor using multiple vulnerabilities to exploit perimeter devices. The threat actor group is known as APT41 in the cybersecurity community. APT41 is utilizing a custom-coded backdoor trojan called Speculoos to exploit a well-known Citrix vulnerability.

Threat Intel History on CVE-2019-19781

See the following related reports for background information:

  • Citrix CVE-2019-19781, the highly publicized vulnerability in the Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway. See the Avertium Threat Report here.
  • NOTROBIN, the backdoor Trojan that exploits the above Citrix vulnerability. Although NOTROBIN is similar to other Linux/UNIX infections, it has unique features and a noteworthy infection pattern. See the Avertium Threat Report here.
  • APT41, a Chinese nation state-level threat actor whose primary goal is financial gain from their successful operations. See the Avertium Threat Report here.

The Tactics, Techniques, and Procedures Used

The Speculoos backdoor trojan is used to infect the Citrix appliance which is listed below (Impact section). The malware acts as a post-exploitation tool where the malware takes over the appliance at multiple levels. All the actions taken by the Speculoos backdoor trojan, are to operate at the Kernel level (space) of the operating system. It targets key areas like the CPU (processor), physical memory, and much more to pull key configurations from the infected host. It does this by utilizing key “switching elements” (sysctl profiles in Linux/UNIX) in the operating system to pull such configuration information.

The malware enters the system using common network protocols like FTP (File Transfer Protocol) to start the infection phase of the malicious software. The trojan utilizes hexadecimal command sets to engage in file manipulation on the infected machine. Speculoos is highly advanced but is generally pretty common among nation-state-level threat actors.

How This Affects You

Could result in the loss of sensitive configuration information that may aid in further network/system compromise. It’s highly encouraged if your organization has financial assets that are highly sensitive please, consider reviewing this malware campaign carefully.

The affected system builds (CVE-2019-19781):

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

What You Should do About This APT41 Exploit

It’s highly encouraged that you consider implementing the indicators of compromise (IOCs) list below as a preemptive measure. There’s a vendor patch available for CVE-2019-19781 so, consider implementing the appropriate patch for your environment.


Palo Alto Unit 42 Article:

Supporting Documentation:

Additional Reading for Curious Minds:

Kernel Space vs. User Space: https://www.embhack.com/introduction-to-kernel-space-and-user-space/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report outlines a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Contact us for more information about Avertium’s managed detection and response service capabilities.

Chat With One of Our Experts

Threat Report APT41 Citrix Speculoos Threat Detection and Response Blog