BianLian attackers exploited a TeamCity vulnerability (CVE-2024-27198 or CVE-2023-42793) to gain initial access and move laterally within the network.
They deployed a PowerShell backdoor disguised as legitimate tools that use two-layer obfuscation with encryption and string substitution to communicate with a Command and Control (C2) server.
Researchers at Guidepoint Security linked this backdoor to the BianLian group based on its functionalities, SSL communication, and communication with a server identified as running BianLian’s GO backdoor.
Escalating Threat: From TeamCity Breach to PowerShell Backdoor
After Attackers exploited a TeamCity vulnerability (CVE-2024-27198 or CVE-2023-42793) to gain initial access, attackers used various Windows commands to discover the network and pivot to two build servers.
Legitimate Winpty tools were abused to run commands and deploy malicious tools, including a PowerShell script (web.ps1). Anti-virus identified DLLs associated with BianLian malware, hinting at web.ps1’s functionality.
The attackers also used other malicious binaries and tools to communicate with their servers and steal credentials. Attackers were detected when they attempted to dump credentials using a Security Accounts Manager (SAM) technique.
After failing to deploy their GO backdoor, attackers used a PowerShell backdoor with similar functionality, using two layers of obfuscation: encrypted byte array and string substitution.
The first layer was a simple encryption-decryption process that replaced the execution command with a command to write the decrypted content to a new file for easier analysis.
The second layer looked complex but after renaming variables through a “find-and-replace” approach, it became clear.
The script connects to a Command and Control (C2) server, likely for continuous operations, and uses methods related to SSL streams and TCP sockets, suggesting tunneling or backdoor functionalities.
On analyzing a malicious PowerShell backdoor linked to the BianLian threat group, the backdoor, named “cakes” and “cookies” functions, uses an established SSL stream to communicate with the C2 server.
It leverages runspace pools for asynchronous execution and .NET PowerShell. The Create() method to invoke ScriptBlocks is more efficient and potentially harder to detect than traditional Invoke-Command or Invoke-Expression.
Similar to BianLian’s GO backdoor, this PowerShell backdoor uses certificates for authentication and validates the remote SSL certificate with
After successful validation, it establishes an SSL stream and communicates with the C2 server for further instructions.
Analysis of the PowerShell script revealed a function call with a parameter (Cookies_Param1) converting to a specific IP (136.0.3.71) in decimal form.
The OSINT investigation linked this IP to a server running the BianLian GO backdoor on March 6th, 2024, coinciding with the incident time frame.
Detections for the BianDoor.D signature were observed before the PowerShell backdoor execution, and these findings strongly suggest that the PowerShell script is a BianLian GO backdoor variant.
Indicators of Compromise
INDICATOR | TYPE | DESCRIPTION |
web.ps1 | Filename | PowerShell Implementation of BianLian GO Backdoor |
136[.]0[.]3[.]71 | IP Address | BianLian C2 Infrastructure |
88[.]169[.]109[.]111 | IP Address | IP Address associated with malicious authentication to TeamCity |
165[.]227[.]151[.]123 | IP Address | IP Address associated with malicious authentication to TeamCity |
77[.]75[.]230[.]164 | IP Address | IP Address associated with malicious authentication to TeamCity |
164[.]92[.]243[.]252 | IP Address | IP Address associated with malicious authentication to TeamCity |
64[.]176[.]229[.]97 | IP Address | IP Address associated with malicious authentication to TeamCity |
164[.]92[.]251[.]25 | IP Address | IP Address associated with malicious authentication to TeamCity |
126[.]126[.]112[.]143 | IP Address | IP Address associated with malicious authentication to TeamCity |
38[.]207[.]148[.]147 | IP Address | IP Address associated with malicious authentication to TeamCity |
101[.]53[.]136[.]60 | IP Address | IP Address associated with malicious authentication to TeamCity |
188[.]166[.]236[.]38 | IP Address | IP Address associated with malicious authentication to TeamCity |
185[.]174[.]137[.]26 | IP Address | IP Address associated with malicious authentication to TeamCity |
977ff17cd1fbaf0753d4d5aa892af7aa | MD5 | Web.ps1 |
1af5616fa3b4d2a384000f83e450e4047f04cb57 | SHA1 | Web.ps1 |
7981cdb91b8bad8b0b894cfb71b090fc9773d830fe110bd4dd8f52549152b448 | SHA256 | Web.ps1 |
hxxp://136[.]0[.]3[.]71:8001/win64.exe | URL | BianLian C2 Infrastructure |
hxxp://136[.]0[.]3[.]71:8001/64.dll | URL | BianLian C2 Infrastructure |