This report is about a ransomware campaign using Ragnorak that utilizes the heavily reported vulnerability CVE-2019-19781 to access and infect networks. The campaign also uses the well-known vulnerability referred to as Eternal Blue to infect internal hosts.
This is the second notable malware campaign to utilize the Citrix vulnerability (CVE-2019-19781) which should be concerning for IT staff.
Ragnorak has been utilized in other campaigns in the past. The method of entry for this campaign is a successful exploitation attempt of CVE-2019-19781 targeting Citrix Gateway products running the 12.x or 13.x software versions. Once the exploit is successful, it sends out a cURL request to a malicious host and downloads a shell script called ld[.]sh. The shell script checks whether python is installed and then creates a directory where it’ll host other malware. The shell script downloads two files using cURL: piz[.]Lan and de[.]py. The Python script de[.]py will stage future malicious actions and initiate the enumeration/further exploitation process.
There are a few notable files that will get downloaded inside a zip archive after de[.]py starts:
The Python script unzips the important files listed above and scans (using scan.py) the network for both vulnerable Windows Vista and Windows XP machines. Once a vulnerable system is identified, the replay files reach out to the host and run a certutil command using CMD or PowerShell to download a “patch” file which gets saved as an executable. Another certutil command is run to delete the URL cache removing the evidence. The executable gets activated starting the encryption on the targeted host and displays a ransom note.
A successful attempt could result in the compromise of your outward-facing Citrix infrastructure resulting in a bad actor being able to enumerate internal resources. There's a strong possibility that hosts vulnerable to Eternal Blue (CVE-2017-0144) will be encrypted by ransomware. This could lead to data loss if proper backups aren’t available.
It’s highly encouraged that you look for the following IOCs in your environment:
Use the FireEye blog post linked below to look for IOCs you can add to your blocklist.
It’s highly recommended that you do the following:
There is a compromise scanner that may help detect any successful penetration of your Citrix infrastructure so, consider using the scanner which is linked below (see GitHub link). Make sure you’ve run the MS17-010 patch to ensure you aren’t vulnerable to the Eternal Blue exploit (see Microsoft patch linked below).
IBM X-Force Exchange:
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report outlines a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.