Now that NetScaler exploits for CVE-2019-19781 have been public for a couple of weeks, actors have had a little more time to update their arsenals. One particular actor has caught the interest of researchers for their method of entry and actions they’ve taken post-compromise. Using a slight variation of CVE-2019-19781, the actor makes a single POST request to vulnerable devices, causing them to execute a bash “one-liner” script. This script looks for a common coin miner that is currently also being deployed to vulnerable systems and kills the process while setting up a cron job for its own downloaded payload. Fireeye has called this new payload “NOTROBIN.”

NOTROBIN tries to ensure that it is running from “/var/nstmp/.nscache/httpd” on the infected device. If not, it will copy itself to the path, start itself and then let the current process exit. Once running, it has two functions on a timer. Once every second, “/netscaler/portal/scripts/” is searched for files that were created in the last 14 days and deletes them. The second runs eight times every second and searches for .xml files within “/netscaler/portal/templates/.” This directory is where exploits for CVE-2019-19781 write templates containing commands. One feature whose function is currently unknown also spawns a UDP listener port 18634. Currently, all data sent is immediately dropped.