SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.notrobin (Back to overview)

NOTROBIN

aka: remove_bds

FireEye states that NOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.

References
2020-06-16IntezerAviygayil Mechtinger
@online{mechtinger:20200616:elf:7057d58, author = {Aviygayil Mechtinger}, title = {{ELF Malware Analysis 101: Linux Threats No Longer an Afterthought}}, date = {2020-06-16}, organization = {Intezer}, url = {https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought}, language = {English}, urldate = {2020-06-16} } ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
Cloud Snooper Dacls EvilGnome HiddenWasp MESSAGETAP NOTROBIN QNAPCrypt Winnti
2020-05-21SophosSophosLabs Uncut
@online{uncut:20200521:asnark:e0bcbbc, author = {SophosLabs Uncut}, title = {{Asnarök attackers twice modified attack midstream}}, date = {2020-05-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/05/21/asnarok2/}, language = {English}, urldate = {2020-05-23} } Asnarök attackers twice modified attack midstream
NOTROBIN Ragnarok
2020-01-17The RegisterShaun Nichols
@online{nichols:20200117:friendly:ab2be11, author = {Shaun Nichols}, title = {{'Friendly' hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind}}, date = {2020-01-17}, organization = {The Register}, url = {https://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/}, language = {English}, urldate = {2020-05-18} } 'Friendly' hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind
NOTROBIN NOTROBIN
2020-01-17FireEyeWilliam Ballenthin, Josh Madeley
@online{ballenthin:20200117:404:cc95f5f, author = {William Ballenthin and Josh Madeley}, title = {{404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor}}, date = {2020-01-17}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html}, language = {English}, urldate = {2020-01-17} } 404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor
NOTROBIN NOTROBIN
2020-01-16DCSODCSO
@online{dcso:20200116:curious:15c5610, author = {DCSO}, title = {{A Curious Case of CVE-2019-19781 Palware: remove_bds}}, date = {2020-01-16}, organization = {DCSO}, url = {https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove_bds/}, language = {English}, urldate = {2020-01-17} } A Curious Case of CVE-2019-19781 Palware: remove_bds
NOTROBIN
2020-01-14FireEyeNick Carr, Matt Bromiley
@online{carr:20200114:rough:1c149da, author = {Nick Carr and Matt Bromiley}, title = {{Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)}}, date = {2020-01-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html}, language = {English}, urldate = {2020-01-17} } Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)
NOTROBIN

There is no Yara-Signature yet.