NotRobin backdoor targets Citrix/NetScaler appliances
NotRobin is a backdoor that targets Citrix/NetScaler appliances.
NotRobin is spread over the internet via exploitation of a Remote Code Execution (RCE) vulnerability in these devices. The threat actor remains anonymous as they distribute NotRobin using Tor.
When executed, NotRobin removes other malware that has compromised the affected device. It then gains persistence on the device by creating a cron job and blocks any further exploitation attempts except by the threat actor.
The malware also searches for files with an .xml extension in another directory used by attackers exploiting CVE-2019-19781 if NOTROBIN finds the strings “block” or “BLOCK” in them, matching possible exploit code, the files are deleted.
The compromised device will also listen on UDP port 18634 but drop any received data without inspection. At the time of publication there is no evidence of any additional malware being deployed to devices compromised by NotRobin.
Indicators of Compromise
Listening UDP port:
- 18634
Directories/Filenames:
- /var/nstmp/.nscache/httpd
- /tmp/.init/httpd
Crontab entry:
- /var/nstmp/.nscache/httpd
Domain:
- vilarunners[.]cat
IP addresses:
- 95.179.163[.]186
- 80.240.31[.]218
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.