Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor | Mandiant
Tags
attack-pattern: Data Cron - T1053.003 Exploits - T1587.004 Exploits - T1588.005 Malware - T1587.001 Malware - T1588.001 Server - T1583.004 Server - T1584.004
Show in Graph
Common Information
Type Value
UUID 095a5f11-3575-48da-a0e3-5e9a962349e8
Fingerprint 2db10b7a487a5044
Analysis status DONE
Considered CTI value 2
Text language
Published Jan. 15, 2020, midnight
Added to db Nov. 6, 2023, 7:06 p.m.
Last updated Nov. 17, 2024, 12:58 p.m.
Headline Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor
Title Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor | Mandiant
Detected Hints/Tags/Attributes 43/1/20
Source URLs
Redirection Url
Details Source https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html
Details Source https://www.mandiant.com/resources/blog/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor
URL Provider
Details Provider Source level domain
Details fireeye.com www.fireeye.com
Details mandiant.com www.mandiant.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 330 Threat Intelligence https://www.mandiant.com/resources/blog/rss.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details CVE 161 
cve-2019-19781
Details Domain 6 
newbm.pl
Details Domain 1 
cron.info
Details Domain 2 
personalbookmark.pl
Details Domain 1 
vilarunners.cat
Details Domain 35 
fireeye.com
Details Email 1 
william.ballenthin@fireeye.com
Details File 6 
newbm.pl
Details File 1 
cron.inf
Details File 2 
personalbookmark.pl
Details File 1 
wtyainadvpaw8rmh.xml
Details md5 1 
64d4c2d3ee56af4f4ca8171556d50faa
Details md5 1 
d474a8de77902851f96a3b7aa2dcbb8e
Details md5 1 
73cee1e8e1c3265c8f836516c53ae042
Details md5 1 
e57a7713cdf89a2f72c6526549d22987
Details IPv4 18 
127.0.0.2
Details IPv4 2 
95.179.163.186
Details IPv4 1 
80.240.31.218
Details Url 1 
https://95.179.163.186/wp-content/uploads/2018/09
Details Yara rule 1 
rule NOTROBIN {
	meta:
		author = "william.ballenthin@fireeye.com"
		date_created = "2020-01-15"
	strings:
		$func_name_1 = "main.remove_bds"
		$func_name_2 = "main.xrun"
	condition:
		all of them
}