NOTROBIN Malware Exploiting Citrix CVE-2019-19781

February 6, 2020

NOTROBIN Malware Overview

This report explains NOTROBIN, a backdoor trojan that exploits the highly-publicized Citrix vulnerability known as CVE-2019-19781.

NOTROBIN isn’t the first bit of malware to exploit this Citrix vulnerability, but it has unique features and an infection pattern that’s noteworthy. The malware itself is very similar to some other Linux/UNIX infections. It uses a command string to begin compromising the desired host.

Contextual Information

CVE-2019-19781 is a weakness caused by an inability for the affected Citrix products to handle specified web requests leading to the execution of remote code or a possible directory traversal event. There’s a decent chance that successful exploitation of this vulnerability would result in a bad actor gaining access to internal network resources.

Vulnerabilities like this one are often used by bad actors to gain initial access to the network before using other methods to move laterally in the environment. The affected software versions are listed below.

Affected Software Versions:

- Citrix ADC and Citrix Gateway version 13.0 all supported builds
- Citrix ADC and NetScaler Gateway version 12.1 all supported builds
- Citrix ADC and NetScaler Gateway version 12.0 all supported builds
- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Please see our previous threat report on CVE-2019-19781 for more context.

Tactics, Techniques, and Procedures

The NOTROBIN malware operates by performing a POST request to the desired target which originates from a TOR node. The request targets a vulnerable script on the host called newbm.pl which triggers a series of commands being injected into the device.

It’s unclear how the NOTROBIN malware moves from the POST request to a state of command injection, but it’s clear that the vulnerable newbm.pl script is involved.

The command injection phase starts with the killing of the netscalerd process; a process often abused by cryptocurrency miners. It then creates a directory called /tmp/.init which serves as a place for the malware to be staged. After the creation of the directory, it downloads the NOTROBIN backdoor and executes it. Persistence is achieved through a cronjob ensuring that a copy of the malware is always available.

Keep in mind that NOTROBIN only runs from the /var/nstmp/.nscache/httpd directory and copies itself to that location if need be.

NOTROBIN itself is built to ensure no other threat actors interact too much with an already-compromised box. Shutting down the netscalerd process likely prevents most cryptocurrency miners from infecting a host compromised by this threat actor.

The backdoor also deletes existing exploits from any newly infected host singling out the /netscaler/portal/scripts/ directory where most exploits hide.

The backdoor opens a port for communication with the bad actor using UDP port 18634. There’s a strong possibility that this backdoor is built for future campaigns such as launching distributed denial of services (DDOS) attacks.

Impact

This attack could result in the “mitigation” of a vulnerability through malicious means with potential for the following:

A wider compromise of network infrastructure and system components
Network abuse through DOS/DDOS attacks
The blacklisting of one of your public IP addresses

Recommendation

Highly Encouraged: Download and install the patch for this vulnerability
- See Citrix Patch links below which have been labelled for your convenience
- If you can’t patch such devices at this time, consider running the mitigation steps (see the Mitigation Commands link)
For Consideration: Implement preemptive blocks using the IOC list found in the FireEye blog post linked below

Note: There is a compromise scanner which may help detect any successful penetration of your Citrix infrastructure. It’s not built to specifically address the NOTROBIN trojan, but it can help detect compromises due to CVE-2019-19781.

Monitor for network traffic over UDP port 18634
Monitor for any changes to your edge Citrix devices such as file changes, new files, new folders, and permission changes

Sources:

FireEye Blog Post
CVE-2019-19781 Compromise Scanner
Citrix Advisory Links:
- Original Citrix Post
- Temporary Mitigation Commands
Citrix Patch Links:
- SD-WAN Patch
- ADC Patch
- Citrix Gateway Patch

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Chat With One of Our Experts

Threat Report NOTROBIN citrix netscaler vulnerability CVE-2019-19781 Malware Blog

Why Avertium?

Considering Microsoft?

Latest Avertium News

Governance, Risk, + Compliance

Attack Surface Management

Threat Detection + Response

Microsoft Security Solutions

About Us

Latest Avertium News

Our Partners

Partner Opportunity Registration

Latest Avertium Resource

News & Resources

Latest Resource