Threat Research

Citrix Bleed Vulnerability: A Gateway to LockBit Ransomware

Securonix

eSentire’s TRU unit tracked a October 2023 LockBit ransomware intrusion linked to a Citrix Bleed CVE-2023-4966 exploit, including initial access via session token bypass and C2 activity tied to Brute Ratel and FileTransfer assets. The investigation details the attack chain (Kerberoasting, WMI lateral movement, and ScreenConnect remote access), the exfiltration setup, and recommended defenses from the Threat Response Unit (TRU). #LockBit #CitrixBleed #CVE-2023-4966 #BruteRatel #ScreenConnect #Rclone #FileTransfer #Kerberoasting

Keypoints

  • In October 2023, alerts led to the detection of a LockBit ransomware attack with early indicators including Rclone activity and a connection to the C2 domain megapackup[.]com.
  • Initial access is attributed to the Citrix Bleed vulnerability (CVE-2023-4966) affecting Citrix NetScaler ADC/Gateway, enabling session-token bypass.
  • A Brute Ratel DLL (1411.dll) was dropped on multiple machines and executed via regsvr32.exe after a chain that started with cmstart.exe and wfshell.exe.
  • The wfshell.exe process is the Citrix WinFrame Shell that manages user-session tasks (drives, shares, printers, etc.).
  • Kerberoasting was used to steal service account credentials by requesting service tickets and offline brute-forcing credentials.
  • ScreenConnect remote-access tooling was deployed for persistence and lateral movement (WMI-based), including dropping MSI packages to other hosts.
  • ZIP archives from FileTransfer (netz.zip and lbbb.zip) contained netscan tools and LockBit payloads; the TRU notes emphasize monitoring for unusual transfers and downloaded tooling.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Initial access gained via Citrix Bleed CVE-2023-4966, bypassing authentication to retrieve session tokens. “the threat actor gained the initial access via the Citrix Bleed vulnerability (CVE-2023-4966) affecting Citrix NetScaler ADC and NetScaler Gateway, which allow the attackers to bypass authentication by retrieving the session tokens.”
  • [T1071.001] Web Protocols – C2 communications to attacker infrastructure (Brute Ratel C2) via 173.44.141[.]125 over port 443 and domain-based control. “communication with the C2 server 173.44.141[.]125 over port 443.”
  • [T1218.011] Signed Binary Proxy Execution: Regsvr32 – Execution of 1411.dll via regsvr32.exe after drop. “Upon running the DLL binary via regsvr32.exe, it initiates communication with the C2 server.”
  • [T1055] Process Injection – Reflective DLL Injection used by LBB_ReflectiveDll_DllMain.dll to load the ransomware DLL in memory. “LBB_ReflectiveDll_DllMain.dll – LockBit DLL using Reflective DLL Injection technique…”
  • [T1218.011] Rundll32 – Use of Rundll32 for executing LockBit components (LBB_Rundll32.dll and LBB_Rundll32_pass.dll). “LBB_Rundll32.dll … and LBB_Rundll32_pass.dll”
  • [T1047] Windows Management Instrumentation – Lateral movement via WMI to drop and execute payloads (e.g., msiexec /i 1.msi).
  • [T1046] Network Service Discovery – netscan.exe and netscan-related artifacts for internal network discovery. “netscan (network discovery tool) and its dependencies.”
  • [T1105] Ingress Tool Transfer – Tooling and payloads (netscan.zip, lbbb.zip) downloaded from attacker-controlledFileTransfer URLs. “retrieving the ZIP archive named “netz.zip” from FileTransfer” and “lbbb.zip” from FileTransfer.
  • [T1027] Obfuscated/Compressed Files and Information – Deobfuscation/decoding of LBB PS1 data before execution. “decodes the obfuscated $data via a custom decoding function…”
  • [T1562.001] Impair Defenses – Disable AMSI via AmsiUtils to bypass security tooling. “The script attempts to disable AMSI by accessing the AmsiUtils class and setting the amsiInitFailed field to true.”
  • [T1558.003] Kerberos Tickets – Kerberoasting to steal service account credentials. “a Kerberoasting attack, where an attacker exploits the Kerberos protocol to steal service account credentials…”

Indicators of Compromise

  • [File name] context – 1411.dll, 1.msi, ScreenConnect attacker’s server, Netscan-related files, LBB*.dll, LBB*.exe, and other LockBit components
  • [File hash] 1411.dll (SHA256) – f392f3c875caad2d703fd3d8767272c7c7142c6a2e958f3362cdee28dc3c645d
  • [MD5] 1.msi – 3cfed171757ec4d482eaec4bc3ab6c8f
  • [MD5] Netscan.exe – 495cc657c21814a1d4748ee1d44eced5
  • [URL] hosting “netz.zip” – hxxps[://]s25[.]filetransfer[.]io/storage/download/LzE9F5nDQ7jj
  • [URL] hosting “lbbb.zip” – hxxps[://]s22[.]filetransfer[.]io/storage/download/QSM80MJVDAQS
  • [Domain] ScreenConnect attacker’s server – instance-lipqpu-relay.screenconnect[.]com
  • [SHA256] 1411.dll – f392f3c875caad2d703fd3d8767272c7c7142c6a2e958f3362cdee28dc3c645d
  • [IP] Brute Ratel C2 – 173.44.141[.]125
  • [IP] Attacker’s C2 – 64.190.113[.]238

Read more: https://www.esentire.com/blog/citrix-bleed-vulnerability-a-gateway-to-lockbit-ransomware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint