Citrix Netscaler hacker secures systems but leaves backdoor

Security researchers are scratching their heads over recent compromises of Citrix Application Delivery Controller or Netscaler servers, that the attacker appears to be innoculating against further exploitation.

Citrix Netscaler devices are currently being probed en masse by attackers to see if they are vulnerable to a flaw that permits remote code execution, with no patch available yet, only mitigation steps.

United States security vendor FireEye observed multiple groups exploiting Citrix Netscaler devices that don't have the mitigation measures in place in dozens of successful attacks.

FireEye found that one threat actor deploys the new NOTROBIN payload that scans for malware already installed on compromised Citrix Netscaler devices and deletes these.

After exploiting the recent CVE-2019-19781 vulnerability to gain access to a Citrix Netscaler system, a Bash shell script executes that kills and deletes all running instances of the netscalerd process which are crypto currency miners.

The NOTROBIN malware is then downloaded and installed to persist on devices, and executed.

NOTROBIN scans for malicious scripts in a particular directory and deletes unless the filename or file itself contains a hardcoded key.

The malware also searches for files with an .xml extension in another directory used by attackers exploiting CVE-2019-19781; if NOTROBIN finds the strings "block" or "BLOCK" in them, matching possible exploit code, the files are deleted, FireEye said.

Again, files with specific, hardcoded keys are not deleted by NOTROBIN.

On a single device that FireEye analysed, NOTROBIN successfully blocked more than a dozen exploitation attempts over three days.

FireEye warned that the NOTROBIN attacker activities are unlikely to be altruistic.

Removing cryptominers that load up the processor to the max, which is easy to notice, is probably done to make administrators think nothing untowards is going on with the compromised Netscaler device.

Different samples of NOTROBIN contain unique keys, making it difficult for competing attackers or security vendors to easily scan for Netscaler devices "protected" by  NOTROBIN, FireEye said.

FireEye believes the NOTROBIN threat actors maintain backdoor access to compromised Netscaler devices, to be used in a later campaign of some kind.

As of yet, the security vendor has been unable to ascertain if the NOTROBIN hacker has returned to the compromised devices.

Unpatched devices that are compromised are often attacked by multiple threat actors, who at times either manually or programmatically remove existing malware to avoid conflict with their own, and detection.

A security researcher observed in a 2014 intrusion of a Drupal server used by the US state Georgia for its electronic voting machines, that the attacker patched the vulnerability exploited 20 minutes after gaining access.

The patching was done to prevent others from using the same vulnerability to gain entry to the already compromised machine, the security resarcher said.