FireEye states that NOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.
|2020-06-16 ⋅ Intezer ⋅ |
ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
Cloud Snooper Dacls EvilGnome HiddenWasp MESSAGETAP NOTROBIN QNAPCrypt Winnti
|2020-05-21 ⋅ Sophos ⋅ |
Asnarök attackers twice modified attack midstream
|2020-01-17 ⋅ The Register ⋅ |
'Friendly' hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind
|2020-01-17 ⋅ FireEye ⋅ |
404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor
|2020-01-16 ⋅ DCSO ⋅ |
A Curious Case of CVE-2019-19781 Palware: remove_bds
|2020-01-14 ⋅ FireEye ⋅ |
Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)
There is no Yara-Signature yet.