SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.notrobin (Back to overview)

NOTROBIN

aka: remove_bds

FireEye states that NOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.

References
2020-12-21IntezerIntezer
Top Linux Cloud Threats of 2020
AgeLocker AnchorDNS Blackrota Cloud Snooper Dacls Doki FritzFrog IPStorm Kaiji Kinsing NOTROBIN Penquin Turla PLEAD Prometei RansomEXX Stantinko TeamTNT TSCookie WellMail elf.wellmess TeamTNT
2020-06-16IntezerAviygayil Mechtinger
ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
Cloud Snooper Dacls EvilGnome HiddenWasp MESSAGETAP NOTROBIN QNAPCrypt Winnti
2020-05-21SophosSophosLabs Uncut
Asnarök attackers twice modified attack midstream
NOTROBIN Ragnarok
2020-01-17FireEyeJosh Madeley, William Ballenthin
404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor
NOTROBIN NOTROBIN
2020-01-17The RegisterShaun Nichols
'Friendly' hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind
NOTROBIN NOTROBIN
2020-01-16DCSODCSO
A Curious Case of CVE-2019-19781 Palware: remove_bds
NOTROBIN
2020-01-14FireEyeMatt Bromiley, Nick Carr
Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)
NOTROBIN

There is no Yara-Signature yet.