eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
In October 2023, our 24/7 SOC
received alerts that, upon investigation, led us to identify a LockBit ransomware attack. The initial indicators included Rclone activity and connections to the known malicious C2 domain megapackup[.]com.
The Incident Handling team and the eSentire Threat Response Unit (TRU) further investigated the malicious activity. We assess with high confidence that the threat actor gained the initial access via the Citrix Bleed vulnerability (CVE-2023-4966) affecting Citrix NetScaler ADC and NetScaler Gateway, which allow the attackers to bypass authentication by retrieving the session tokens.
The exploits for Citrix Bleed are available in the wild, and the vulnerability is being actively discussed on Russian hacking forums.
We have observed one of the files named “1411.dll” (SHA256: f392f3c875caad2d703fd3d8767272c7c7142c6a2e958f3362cdee28dc3c645d) dropped by the threat actor on multiple machines; the process chain looks like the following:
cmstart.exe > wfshell.exe > chrome.exe > 1411.dll
The wfshell.exe file is the Citrix WinFrame Shell that manages the environment of a user session, including tasks such as managing drive mappings, shares, printers, and more.
The “1411.dll” payload is a Brute Ratel DLL that was downloaded from the attacker’s hosting server 64.190.113[.]238. Upon running the DLL binary via regsvr32.exe, it initiates communication with the C2 server 173.44.141[.]125 over port 443. The file then gets placed under the C:\ProgramData folder.
After dropping the Brute Ratel binary, the threat actor performed a Kerberoasting attack, where an attacker exploits the Kerberos protocol to steal service account credentials by requesting service tickets and then brute forcing their encrypted content offline to reveal the service accounts' passwords.
“1.msi” (MD5: 3cfed171757ec4d482eaec4bc3ab6c8f) was dropped on another machine that the compromised user had access to. The installer is a ScreenConnect client that is deployed by the threat actor to obtain remote access to the machine and possibly exfiltrate data.
The threat actor attempted to move laterally and drop the ScreenConnect client to another host via WMI with the following command:
wmic /node:<REDACTED> process call create "msiexec.exe /i C:\1.msi /quiet /qn"
Upon executing, the ScreenConnect client connects to an attacker’s-controlled instance via the command:
The domain instance-lipqpu-relay.screenconnect[.]com is the attacker-controlled instance.
On another host, we observed the threat actor attempting to retrieve the ZIP archive named “netz.zip” from FileTransfer at hxxps[://]s25[.]filetransfer[.]io/storage/download/LzE9F5nDQ7jj. The folder contained netscan (network discovery tool) and its dependencies (MD5: 495cc657c21814a1d4748ee1d44eced5), as shown in Figure 1.
Figure 1: Contents of netz.zip
Approximately two hours later, the threat actor attempted to retrieve the “lbbb.zip” from hxxps[://]s22[.]filetransfer[.]io/storage/download/QSM80MJVDAQS. The contents of the “lbbb.zip” are shown in Figure 2 below.
Figure 2: Contents of "lbbb.zip"
LBB.exe – LockBit binary.
LBB_pass.exe – LockBit binary that requires the passcode to run.
LBB_PS1.ps1 – partially unobfuscated LockBit PowerShell script to execute the ransomware.
LBB_PS1_obfuscated.ps1 – obfuscated version of LockBit PowerShell script.
LBB_PS1_pass – LockBit PowerShell script that requires passcode to run.
LBB_ReflectiveDll_DllMain.dll – LockBit DLL using Reflective DLL Injection technique that allows a Windows DLL (Dynamic Link Library) to be dynamically loaded from memory, bypassing the standard operating system loader.
LBB_Rundll32.dll – LockBit DLL ransomware binary.
LBB_Rundll32_pass.dll – LockBit DLL ransomware binary that requires a passcode for execution.
Password_dll.txt – instructions on how to run the LockBit DLL binary with passcode. (LBB_Rundll32_pass.dll) as shown in Figure 3. The DLL has the ability to run in Global and Safe Modes; in Safe Mode to bypass AntiVirus and EDR solutions.
Password_exe.txt – instructions on how to run the LockBit DLL binary with passcode (LBB_pass.exe) as shown in Figure 4. Has the ability to run in the Targeted Mode to encrypt specific folders and paths.
Password_ps1.txt – instructions on how to run the LockBit PowerShell script (LBB_PS1_pass) with passcode as shown in Figure 5.
Figure 3: Contents of Password_dll.txtFigure 4: Contents of Password_exe.txtFigure 5: Contents of Password_ps1.txt
For more technical details on LockBit, you can refer to this
article.
The contents of LBB_PS1.ps1 contained the snippet shown in Figure 6.
Figure 6: Contents of LBB_PS1.ps1
The script performs the following:
The script attempts to disable AMSI. It does this by accessing the AmsiUtils class and setting the amsiInitFailed field to true, effectively telling the system that AMSI initialization has failed, and thereby bypassing it.
Checks the PowerShell version and the architecture of the operating system. If running on a 64-bit system, it launches a new instance of PowerShell in 32-bit mode, possibly to avoid compatibility issues.
Decodes the obfuscated $data via a custom decoding function where each byte is extracted from the obfuscated data using bitwise AND operation with 0x7F. This operation essentially gets the lowest 7 bits of the integer. The extracted byte is stored in the $dB array. The original integer is then right-shifted by 7 bits (achieved by subtracting the extracted byte and dividing by 0x80). This prepares the next 7 bits of the integer for extraction in the next iteration of the inner loop. After processing all integers, the byte array $dB is then converted into an ASCII string.
Executes the decoded/deobfuscated data, which is a LockBit DLL binary (MD5: ab41549944d71fbd02deda7bc6ab00eb) as shown in Figure 7.
Figure 7: Deobfuscated PowerShell script
What did we do?
After receiving alerts, our 24/7 SOC Cyber Analysts took action and blocked the indicators of compromise (IOCs) on all endpoints and network sensors to prevent further spread of the intrusion.
At the same time, we involved our Incident Response (IR) team to determine the full impact of the intrusion.
Meanwhile, our analysts isolated the affected host and informed the client about the suspicious activities, ensuring a comprehensive and coordinated response to the security incident.
What can you learn from this TRU Positive?
The early detection of ransomware precursor activities, such as unusual Rclone activity and connections to known malicious domains, is crucial. This highlights the need for vigilant monitoring and threat intelligence to identify potential threats before they escalate.
The exploitation of the Citrix Bleed vulnerability underscores the importance of promptly patching known vulnerabilities.
The identification of a malicious DLL (1411.dll) initiating from a trusted process (Citrix WinFrame Shell) demonstrates the need for robust endpoint detection and response (EDR) solutions.
The use of a Kerberoasting attack to steal service account credentials shows how attackers can exploit legitimate functionalities within an environment for malicious purposes.
The deployment of a ScreenConnect client and the use of Rclone for data exfiltration illustrate common tactics used by attackers for maintaining access and stealing sensitive information. Therefore, implementing controls to monitor and restrict unauthorized remote access and data transfer activities is essential.
The retrieval of ZIP archives containing malicious tools and ransomware components from a legitimate file transfer service (FileTransfer) highlights how attackers can misuse legitimate services to facilitate their attacks. Organizations should monitor for unusual file transfers and downloads, even from legitimate sources.
Recommendations from our Threat Response Unit (TRU):
Upgrade Citrix NetScaler ADC and Citrix NetScaler Gateway to the latest patched version.
Implement two-factor authentication for all Remote Monitoring and Management (RMM) tools, remote access solutions, VPNs, and other critical software systems. This adds an extra layer of security beyond just passwords.
Ensure that all remote access accounts and other key system accounts are secured with strong, unique passwords. This reduces the risk of unauthorized access due to compromised credentials.
Set up ACLs to allow only trusted IPs for accessing your systems. However, if an end customer is roaming or working remotely, they should connect through a VPN to ensure secure access.
Employees with access to RMM or remote access software should receive specialized training to critically evaluate communications that purport to be from these service providers. This helps in identifying and avoiding phishing attempts.
Ensure that your IT environment—including networks, endpoints, and logs, both on-premises and in the cloud—is continuously protected by a robust Managed Detection and Response solution. This ensures ongoing monitoring and protection against threats.
Be aware of the level of response, remediation, and incident handling included in your 24/7 Managed Detection and Response (MDR) service. Knowing the scope of services provided can help in effective and timely response to incidents.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
