Blog

Citrix Bleed Vulnerability:
A Gateway to LockBit Ransomware

BY eSentire Threat Response Unit (TRU)

December 4, 2023 | 8 MINS READ

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In October 2023, our 24/7 SOC received alerts that, upon investigation, led us to identify a LockBit ransomware attack. The initial indicators included Rclone activity and connections to the known malicious C2 domain megapackup[.]com.

The Incident Handling team and the eSentire Threat Response Unit (TRU) further investigated the malicious activity. We assess with high confidence that the threat actor gained the initial access via the Citrix Bleed vulnerability (CVE-2023-4966) affecting Citrix NetScaler ADC and NetScaler Gateway, which allow the attackers to bypass authentication by retrieving the session tokens.

The exploits for Citrix Bleed are available in the wild, and the vulnerability is being actively discussed on Russian hacking forums.

We have observed one of the files named “1411.dll” (SHA256: f392f3c875caad2d703fd3d8767272c7c7142c6a2e958f3362cdee28dc3c645d) dropped by the threat actor on multiple machines; the process chain looks like the following:

The wfshell.exe file is the Citrix WinFrame Shell that manages the environment of a user session, including tasks such as managing drive mappings, shares, printers, and more.

The “1411.dll” payload is a Brute Ratel DLL that was downloaded from the attacker’s hosting server 64.190.113[.]238. Upon running the DLL binary via regsvr32.exe, it initiates communication with the C2 server 173.44.141[.]125 over port 443. The file then gets placed under the C:\ProgramData folder.

After dropping the Brute Ratel binary, the threat actor performed a Kerberoasting attack, where an attacker exploits the Kerberos protocol to steal service account credentials by requesting service tickets and then brute forcing their encrypted content offline to reveal the service accounts' passwords.

“1.msi” (MD5: 3cfed171757ec4d482eaec4bc3ab6c8f) was dropped on another machine that the compromised user had access to. The installer is a ScreenConnect client that is deployed by the threat actor to obtain remote access to the machine and possibly exfiltrate data.

The threat actor attempted to move laterally and drop the ScreenConnect client to another host via WMI with the following command:

Upon executing, the ScreenConnect client connects to an attacker’s-controlled instance via the command:

The domain instance-lipqpu-relay.screenconnect[.]com is the attacker-controlled instance.

On another host, we observed the threat actor attempting to retrieve the ZIP archive named “netz.zip” from FileTransfer at hxxps[://]s25[.]filetransfer[.]io/storage/download/LzE9F5nDQ7jj. The folder contained netscan (network discovery tool) and its dependencies (MD5: 495cc657c21814a1d4748ee1d44eced5), as shown in Figure 1.

Figure 1: Contents of netz.zip

Approximately two hours later, the threat actor attempted to retrieve the “lbbb.zip” from hxxps[://]s22[.]filetransfer[.]io/storage/download/QSM80MJVDAQS. The contents of the “lbbb.zip” are shown in Figure 2 below.

Figure 2: Contents of "lbbb.zip"
Figure 3: Contents of Password_dll.txt
Figure 4: Contents of Password_exe.txt
Figure 5: Contents of Password_ps1.txt

For more technical details on LockBit, you can refer to this article.

The contents of LBB_PS1.ps1 contained the snippet shown in Figure 6.

Figure 6: Contents of LBB_PS1.ps1

The script performs the following:

Figure 7: Deobfuscated PowerShell script

What did we do?

After receiving alerts, our 24/7 SOC Cyber Analysts took action and blocked the indicators of compromise (IOCs) on all endpoints and network sensors to prevent further spread of the intrusion.

At the same time, we involved our Incident Response (IR) team to determine the full impact of the intrusion.

Meanwhile, our analysts isolated the affected host and informed the client about the suspicious activities, ensuring a comprehensive and coordinated response to the security incident.

What can you learn from this TRU Positive?

Recommendations from our Threat Response Unit (TRU):

Indicators of Compromise

Name

Indicators

1411.dll

f392f3c875caad2d703fd3d8767272c7c7142c6a2e958f3362cdee28dc3c645d

1.msi

3cfed171757ec4d482eaec4bc3ab6c8f

ScreenConnect attacker’s server

instance-lipqpu-relay.screenconnect[.]com

URL hosting “netz.zip”

hxxps[://]s25[.]filetransfer[.]io/storage/download/LzE9F5nDQ7jj

URL hosting “lbbb.zip”

hxxps[://]s22[.]filetransfer[.]io/storage/download/QSM80MJVDAQS

netscan.exe

495cc657c21814a1d4748ee1d44eced5

LBB_PS1_obfuscated.ps1

07364938088247b094ca98d57d9b96a0

LBB_PS1_pass.ps1

700d2669ac6a2b8cf6dd0b2c00ad0857

LBB_PS1.ps1

f93bf0a7c899d85e62a7cf4ba43dac04

LBB.exe

eec0e9f4bae7896d2adacae5b4e910a5

LBB_pass.exe

7aedeac687d3786024094f0d51544da0

Password_dll.txt

fb806c9acd186ac609621f4db55baa04

Password_exe.txt

29fc5b0429d9e62a9dc2fd4c3f688b1e

Password_ps1.txt

b2ff2144638af66e6a9e36eda0f8f733

LBB_Rundll32_pass.dll

58afb885c2d0e2eaa92901df540cc973

LBB_Rundll32.dll

8de7ec4e13f555c3497e54c27765e0c8

LBB_ReflectiveDll_DllMain.dll

a31e6ffa9f025ca3657af9f78ea53940

LockBit DLL binary

ab41549944d71fbd02deda7bc6ab00eb

Attacker’s C2

64.190.113[.]238

Brute Ratel C2

173.44.141[.]125

References

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire