Threat Watch

Someone is Cleaning Up Infected NetScaler Devices, Leaving Possible Backdoor

Now that NetScaler exploits for CVE-2019-19781 have been public for a couple of weeks, actors have had a little more time to update their arsenals. One particular actor has caught the interest of researchers for their method of entry and actions they’ve taken post-compromise. Using a slight variation of CVE-2019-19781, the actor makes a single POST request to vulnerable devices, causing them to execute a bash “one-liner” script. This script looks for a common coin miner that is currently also being deployed to vulnerable systems and kills the process while setting up a cron job for its own downloaded payload. Fireeye has called this new payload “NOTROBIN.”

NOTROBIN tries to ensure that it is running from “/var/nstmp/.nscache/httpd” on the infected device. If not, it will copy itself to the path, start itself and then let the current process exit. Once running, it has two functions on a timer. Once every second, “/netscaler/portal/scripts/” is searched for files that were created in the last 14 days and deletes them. The second runs eight times every second and searches for .xml files within “/netscaler/portal/templates/.” This directory is where exploits for CVE-2019-19781 write templates containing commands. One feature whose function is currently unknown also spawns a UDP listener port 18634. Currently, all data sent is immediately dropped.


It is highly recommended to follow the mitigation steps provided by Citrix at Unfortunately, no patch is expected to be made available until near the end of January. Checking for UDP port 18634 is a quick and easy way to see if a device may be infected with NOTROBIN. It also copies itself to “/var/nstmp/.nscache/httpd” while creating a cron job for persistence. Checking the list of running processes for any using excessive amounts of CPU may also help to spot an infection from other sources. Currently, the most common theme seems to be dropping a coin miner. Processes using an excessive amount of CPU (typically near 100%) is another possible sign of infection.