BianLian GOs for PowerShell After TeamCity Exploitation

Summary

This article describes a recent incident involving the BianLian threat group. BianLian compromised a victim’s network by exploiting a vulnerability in a TeamCity server and deployed a PowerShell backdoor. Researchers at GuidePoint were able to analyze the backdoor and attribute it to BianLian with high confidence.

Highlights

  • BianLian exploited vulnerabilities (CVE-2024-27198 / CVE-2023-42793) in a TeamCity server to gain initial access.
  • After gaining access, they used legitimate tools (winpty-agent.exe and winpty.dll) to pivot to build servers on the victim’s network.
  • They deployed a malicious PowerShell script (web.ps1) that functioned as a backdoor.
  • The backdoor used an encrypted channel to communicate with the BianLian command and control server.
  • Researchers were able to de-obfuscate and analyze the backdoor script.
  • The backdoor leveraged techniques such as asynchronous execution and certificate validation to enhance stealth.
  • BianLian’s use of a PowerShell backdoor aligns with their ability to adapt to changing security landscapes.

https://www.guidepointsecurity.com/blog/bianlian-gos-for-powershell-after-teamcity-exploitation/