A threat group targeting the recently disclosed critical vulnerability in Citrix Application Delivery Controller (ADC) is installing their own backdoor while cleaning up other malware infections and blocking others from exploiting the vulnerability, FireEye has discovered.
Tracked as CVE-2019-19781, the vulnerability impacts Citrix ADC and Gateway products (previously known as NetScaler ADC and NetScaler Gateway). Scans for vulnerable systems started a couple of weeks ago and exploits were made public several days back.
With tens of thousands of vulnerable systems connected to the Internet, it’s no surprise that multiple threat actors are already attempting to exploit the security flaw, especially since Citrix only published mitigation details, but has yet to release patches.
One of the attacks that stands out from the crowd, FireEye says, is cleaning up known malware from the vulnerable deployments and deploys a previously-unseen payload known as NOTROBIN. The malware blocks subsequent exploitation attempts, but also maintains backdoor access, likely in preparation for a future campaign.
For infection, the threat actor targets CVE-2019-19781 to execute shell commands. Exploitation is performed via a single HTTP POST request that leads to an HTTP 404 response (there is no HTTP GET, as in the previously released exploits).
Following compromise, a one-line bash script is executed to remove crypto-miners, create a hidden staging folder and download NOTROBIN to it, and establish persistence.
Written in Go, NOTROBIN periodically (every second) scans for and deletes specific files, in an attempt to block exploitation attempts targeting the CVE-2019-19781 vulnerability. However, if the filename or file content includes a hardcoded key, the files are not deleted.
“The mitigation works by deleting staged exploit code found within NetScaler templates before it can be invoked. However, when the actor provides the hardcoded key during subsequent exploitation, NOTROBIN does not remove the payload. This lets the actor regain access to the vulnerable device at a later time,” FireEye says.
The researchers also discovered that NOTROBIN binaries are being deployed with unique keys and that the code spawns a background routine to listen on UDP port 18634 and receive data (although it drops the data without inspecting it).
“FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. […] NOTROBIN mitigates CVE-2019-19781 on compromised devices but retains a backdoor for an actor with a secret key. While we haven’t seen the actor return, we’re skeptical that they will remain a Robin Hood character protecting the internet from the shadows,” FireEye concludes.