NotRobin is a backdoor that targets Citrix/NetScaler appliances.
NotRobin is spread over the internet via exploitation of a Remote Code Execution (RCE) vulnerability in these devices. The threat actor remains anonymous as they distribute NotRobin using Tor.
When executed, NotRobin removes other malware that has compromised the affected device. It then gains persistence on the device by creating a cron job and blocks any further exploitation attempts except by the threat actor.
The malware also searches for files with an .xml extension in another directory used by attackers exploiting CVE-2019-19781 if NOTROBIN finds the strings “block” or “BLOCK” in them, matching possible exploit code, the files are deleted.
The compromised device will also listen on UDP port 18634 but drop any received data without inspection. At the time of publication there is no evidence of any additional malware being deployed to devices compromised by NotRobin.
Indicators of Compromise
Listening UDP port: