NotRobin Malware: the Battle for NetScaler Devices

Delaware, USA – January 17, 2020 – The CVE-2019-19781 vulnerability discovered at the end of last year has been actively exploited by attackers for several weeks, and many PoC exploits are publicly available, while Citrix will only release updates at the end of the month. NotRobin malware stands out among the many cryptocurrency miners and simple backdoors used against NetScaler devices in that it cleans the infected device from competitors, blocks subsequent infection attempts and … does nothing else. Researchers at FireEye have analyzed recently appeared malware and believe that it can be used as a backdoor, and undetermined threat actor is going to use the compromised devices in future attacks. “The mitigation works by deleting staged exploit code found within NetScaler templates before it can be invoked. However, when the actor provides the hardcoded key during subsequent exploitation, NotRobin does not remove the payload. This lets the actor regain access to the vulnerable device at a later time.”

Threat actor issues a single HTTP POST request from a Tor exit node transmitting the payload to the vulnerable newbm.pl CGI script. As a result of compromise, a series of commands is executed that remove cryptocurrency miners, download and install NotRobin payload, and also enable persistence via the cron daemon. After that, the malware starts to check the device 1-8 times per second for exploits and, if a subsequent exploitation attempt is detected, deleting exploits before they can do anything. Community content available on Threat Detection Marketplace to detect exploitation of the vulnerability: Citrix Netscaler Attack CVE-2019-19781 – https://tdm.socprime.com/tdm/info/H34f94kvk9Pg/