Threat Research

Netscaler Exploitation to Social Engineering: Mapping Convergence of Adversary Tradecraft Across Victims

Securonix

Huntress’ analysis of September 2023 intrusions shows a converging adversary tradecraft across multiple victims, emphasizing LOLBins, evasion, and social engineering tied to Netscaler-related activity. The campaign involved obfuscated PowerShell, credential harvesting web shells, and exploitation of publicly documented Netscaler vulnerabilities, with activity observed before attackers could reach final objectives. hashtags: #Netscaler #BlueVPS #ADExplorer64 #Citrix

Keypoints

  • Threat activity spans multiple organizations, showing overlapping tradecraft such as LOLBins, evasion, and non-standard user interactions.
  • Survey actions used built-in commands (whoami, ipconfig, tasklist, ping) and escalated when launched via wuauclt.exe, signaling intrusion beyond routine admin tasks.
  • Adversaries created privileged accounts and persistence via a scheduled task (e.g., SpaceAgentTaskMgrSHR) to maintain access.
  • PowerShell scripts were obfuscated, using Base64 and XOR encoding to load a DLL from a remote host (e.g., hxxps://91.236.230[.]111/1/18150e98).
  • Phishing/social-engineering chains included a OneDrive link to a password-protected zip containing LNK and DLL components, suggesting Citrix patch-themed social engineering.
  • Netscaler-related activity included web shells (netscaler.php, ctxheaderlogin.php) and credential harvesting mechanisms, plus references to CVE-2023-3519 exploitation.

MITRE Techniques

  • [T1059.001] PowerShell – PowerShell is used with obfuscated execution and non-standard arguments. “[wmic /node:[redacted] process call create “cmd /c powershell.exe -nop -ep bypass -c c:windowstempesd.ps1 622ddc28910eb5482c0ed8b01b10270a20c25206-fbf201cb-s”]”
  • [T1027] Obfuscated/Compressed Files and Information – PowerShell scripts were heavily obfuscated, with Base64 and XOR encoding to hide a DLL payload and an RC4-based loader for a remote stage. “the PowerShell script leverages a combination of Base64 and XOR encoding to hide a DLL payload, which in turn attempts to decode and run another payload using an RC4 key provided as a parameter to the original script.”
  • [T1105] Ingress Tool Transfer – Payload loads from a remote location. “load additional content from a remotely hosted location: hxxps://91.236.230[.]111/1/18150e98”
  • [T1053.005] Scheduled Task – Persistence via scheduled task: “C:WindowsSystem32schtasks.exe” /create /sc onstart /tn MicrosoftWindowsSpacePortSpaceAgentTaskMgrSHR /tr “…/ADFSdllhost.exe…” /ru SYSTEM
  • [T1136] Create Account – Privilege escalation via account creation: “net user DefaultService AiRPcp47_r00t /add /fullname:”DefaultService” … net localgroup “Administrators” DefaultService /add”
  • [T1023] Shortcut Modification / DLL Search Order Hijacking – LNK-based execution and sideloading attempts: “LNK object” and “DLL sideloading” observed with ADExplorer64.exe and a loader DLL. “DLL search order hijacking or sideloading attempts, as seen in examples …”
  • [T1505.003] Web Shell – Web shells on Netscaler: “Credential harvesting web shell component.” Netscaler web shells observed on netscaler.php and ctxheaderlogin.php.
  • [T1552.001] Credentials in Web Apps – Credentials harvested via a Netscaler web shell: “Credential harvesting web shell component.”
  • [T1087] Account Discovery – Active Directory information gathering using ADExplorer64.exe: “to gather Active Directory information, with a process lineage that suggests user interaction via an LNK object.”
  • [T1190] Exploit Public-Facing Application – Netscaler CVE-2023-3519 exploitation as initial access in vulnerable devices: “exploitation of CVE-2023-3519, a recent item of focus in a CISA-issued alert.”
  • [T1023] Shortcut Modification – LNK-based initial access chain leading to payload execution via Citrix-related artifacts: “LNK object … contents … ADExplorer64 launches with special parameters …”

Indicators of Compromise

  • [Hash] 5ee3e274a79f6ad79bb43ff193c03fb38f82396dd0a70fb2597ab78497b1a5c2 – shr.ps1 – Obfuscated PowerShell script, likely for process injection.
  • [Hash] 3c1829079eecd453e28ec3f111a4f98aa05d338787955b33b0c9932aada2c370 – N/A – Embedded DLL in shr.ps1 script.
  • [Hash] 3742b9cb7a7e664dbeb4f3b7d350a22bbd008f7698db8679a0764b7bab983025 – N/A – Embedded DLL in shr.ps1 script.
  • [IP] 91.236.230[.]111 – Remote resource hosting next-stage content for compromise activity.
  • [Hash] edd464cd0069324d9b3437126e2c95b903c274ecbb5068b9058d07f0d946ed2c – ch.dll – Loader DLL for achieving persistence.
  • [Hash] baf385c3f35a48509114cc39623da8834d37b7afd12ab00b1c3c9d695effca6f – dllhost.exe – Renamed Sysinternals Contig.exe tool.
  • [Hash] f4dbed01049e169189867713d33c24a4f07954f1c1fdd3bce08afb5aeed38804 – SpaceAgentTaskMgrLLD – “Space Agent” persistence item created as scheduled task.
  • [Hash] cbd2567b61c7be8b92dcd1c5970d7a0a74c59b5d75be889c0a58e18746e7dff6 – sqlsrvwr.exe – Loader DLL for “Space Agent” persistence mechanism.
  • [Domain] z9x[.]org – Top-level domain redirecting to malicious file storage.
  • [Hash] 3ac2d170eeefd5d866ca2285da2a7387c544250d6978bab621c2a80b95946712 – citfix29.zip – Password-protected zip archive containing LNK and other objects.
  • [Hash] 06de42d666b3ae548719778445162ddebaa5267b96ceaf5b8c38ed78ead8a148 – version.dll – Malicious DLL sideloaded by legitimate binary.
  • [Hash] bbdd3620a67aedec4b9a68b2c9cc880b6631215e129816aea19902a6f4bc6f41 – sh1.exe – Sharpshares variant.
  • [Hash] faf37bcbbcaff2de3e4b794bb9eed9e47505cdbed3a35b83ce9a216298779c62 – ctxheaderlogin.php – Web shell component.
  • [Hash] 886f3add934cb8e348dcfac78d9e0e50d6d760d065352bc8026529a6bb233279 – netscaler.php – Credential harvesting web shell component.

Read more: https://www.huntress.com/blog/netscaler-exploitation-to-social-engineering-mapping-convergence-of-adversary-tradecraft-across-victims

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint