Hackers Compromised TeamCity Server To Install BianLian’s GO Backdoor

BianLian attackers exploited a TeamCity vulnerability (CVE-2024-27198 or CVE-2023-42793) to gain initial access and move laterally within the network. 

They deployed a PowerShell backdoor disguised as legitimate tools that use two-layer obfuscation with encryption and string substitution to communicate with a Command and Control (C2) server. 

Researchers at Guidepoint Security linked this backdoor to the BianLian group based on its functionalities, SSL communication, and communication with a server identified as running BianLian’s GO backdoor. 

Escalating Threat: From TeamCity Breach to PowerShell Backdoor

After Attackers exploited a TeamCity vulnerability (CVE-2024-27198 or CVE-2023-42793) to gain initial access, attackers used various Windows commands to discover the network and pivot to two build servers. 

Legitimate Winpty tools were abused to run commands and deploy malicious tools, including a PowerShell script (web.ps1). Anti-virus identified DLLs associated with BianLian malware, hinting at web.ps1’s functionality. 

The attackers also used other malicious binaries and tools to communicate with their servers and steal credentials. Attackers were detected when they attempted to dump credentials using a Security Accounts Manager (SAM) technique. 

After failing to deploy their GO backdoor, attackers used a PowerShell backdoor with similar functionality, using two layers of obfuscation: encrypted byte array and string substitution.

The first layer was a simple encryption-decryption process that replaced the execution command with a command to write the decrypted content to a new file for easier analysis.

The second layer looked complex but after renaming variables through a “find-and-replace” approach, it became clear. 

Obfuscated Second Stage PowerShell Script

The script connects to a Command and Control (C2) server, likely for continuous operations, and uses methods related to SSL streams and TCP sockets, suggesting tunneling or backdoor functionalities.

Deobfuscated PowerShell Contents

On analyzing a malicious PowerShell backdoor linked to the BianLian threat group, the backdoor, named “cakes” and “cookies” functions, uses an established SSL stream to communicate with the C2 server. 

cookies function parameters

It leverages runspace pools for asynchronous execution and .NET PowerShell. The Create() method to invoke ScriptBlocks is more efficient and potentially harder to detect than traditional Invoke-Command or Invoke-Expression.

Similar to BianLian’s GO backdoor, this PowerShell backdoor uses certificates for authentication and validates the remote SSL certificate with 

After successful validation, it establishes an SSL stream and communicates with the C2 server for further instructions.

Analysis of the PowerShell script revealed a function call with a parameter (Cookies_Param1) converting to a specific IP (136.0.3.71) in decimal form. 

Establishing the SSL Connection

The OSINT investigation linked this IP to a server running the BianLian GO backdoor on March 6th, 2024, coinciding with the incident time frame. 

Detections for the BianDoor.D signature were observed before the PowerShell backdoor execution, and these findings strongly suggest that the PowerShell script is a BianLian GO backdoor variant.

Indicators of Compromise

INDICATOR TYPE DESCRIPTION
web.ps1 Filename PowerShell Implementation of BianLian GO Backdoor
136[.]0[.]3[.]71 IP Address BianLian C2 Infrastructure
88[.]169[.]109[.]111 IP Address IP Address associated with malicious authentication to TeamCity
165[.]227[.]151[.]123 IP Address IP Address associated with malicious authentication to TeamCity
77[.]75[.]230[.]164 IP Address IP Address associated with malicious authentication to TeamCity
164[.]92[.]243[.]252 IP Address IP Address associated with malicious authentication to TeamCity
64[.]176[.]229[.]97 IP Address IP Address associated with malicious authentication to TeamCity
164[.]92[.]251[.]25 IP Address IP Address associated with malicious authentication to TeamCity
126[.]126[.]112[.]143 IP Address IP Address associated with malicious authentication to TeamCity
38[.]207[.]148[.]147 IP Address IP Address associated with malicious authentication to TeamCity
101[.]53[.]136[.]60 IP Address IP Address associated with malicious authentication to TeamCity
188[.]166[.]236[.]38 IP Address IP Address associated with malicious authentication to TeamCity
185[.]174[.]137[.]26 IP Address IP Address associated with malicious authentication to TeamCity
977ff17cd1fbaf0753d4d5aa892af7aa MD5 Web.ps1
1af5616fa3b4d2a384000f83e450e4047f04cb57 SHA1 Web.ps1
7981cdb91b8bad8b0b894cfb71b090fc9773d830fe110bd4dd8f52549152b448 SHA256 Web.ps1
hxxp://136[.]0[.]3[.]71:8001/win64.exe URL BianLian C2 Infrastructure
hxxp://136[.]0[.]3[.]71:8001/64.dll URL BianLian C2 Infrastructure

Leave a Reply

Your email address will not be published. Required fields are marked *