Ever since Avast released a decryptor for BianLian in January 2023, the group has transitioned to extortion-only operations. GuidePoints Research and Intelligence Team (GRIT), in collaboration with GuidePoints DFIR team, has been closely monitoring BianLian's activities. A recent incident underlined an exploitation of a TeamCity server leading to the deployment of a PowerShell implementation of BianLian's GO backdoor.

An intrusion observed by GuidePoints DFIR team allowed for the identification of malicious activity within a client's network. The threat actor identified a vulnerable TeamCity server utilising CVE-2024-27198/CVE-2023-42793 for initial access. On access, the threat actor targeted additional infrastructure within the victim’s network, discovering two build servers which were subsequently leveraged for further exploitation.

The malicious activity included the deployment of additional tools such as a PowerShell script, web.ps1, and multiple attempts to deploy quarantined DLLs. The presence of tools from FuzzySecurity’s PowerShell Suite was also identified, indicating an attempt to dump credentials. GRIT and the DFIR team were notified after an unsuccessful attempt by the actor to employ a Security Accounts Manager (SAM) credential dumping technique.

After repeated unsuccessful attempts at executing their standard GO backdoor, the threat actor resorted to a PowerShell implementation of their backdoor, which replicated almost identical functionality.

Analysis of the obfuscated PowerShell backdoor identified an encrypted byte array leveraging a simple decryption routine, allowing the next level of obfuscated PowerShell to run. Simple manipulation of the malicious script allowed this layer of obfuscation to be easily defeated, leading to confirmation of the PowerShell script's backdoor capabilities.

Analysis of the IP resolution and network connection management components confirmed the script as a backdoor, granting a remote attacker significant operational scope on an infected system. This reflected the capabilities of BianLian’s GO trojan. Apart from the encryption capabilities, the PowerShell backdoor also leverages RemoteCertificateValidationCallback for SSL certificate verification.

Attribution of the PowerShell backdoor to BianLian was made based on the use of shared infrastructure and AV detections. GuidePoints detected several instances of the Microsoft AV signature Win64/BianDoor.D prior to the successful deployment of the PowerShell backdoor. A high confidence assessment by GRIT concluded that the analysed PowerShell script is a PowerShell implementation of the BianLian GO Backdoor.

Despite the release of the BianLian decryptor in January 2023, the group has adapted to exploit emerging vulnerabilities and the extortion-only landscape. Given BianLian’s adaptability, it is expected that similar tactics will continue into the future. GuidePoints recommends a proactive approach, particularly in patching externally facing applications, practicing incident response plans and incorporating threat intelligence into preventative strategies, to help prevent such attacks.

Indicators of Compromise, used to identify evidence of intrusion within a network, were also provided including the PowerShell Implementation of BianLian GO Backdoor (web.ps1) and various IP addresses associated with malicious authentication to TeamCity.