“The risk actor leveraged two recordsdata, winpty-agent.exe and winpty.dll to the construct servers, that are respectable recordsdata for winpty used to create an interface to run Home windows instructions,” the researchers mentioned. “The risk actor used winpty-agent.exe on the construct servers to remotely run instructions from the exploited TeamCity server and leveraged BITSAdmin to deploy further instruments, together with a malicious PowerShell script, net.ps1, to the server.”
Their makes an attempt to dump credentials from the Home windows Safety Accounts Supervisor (SAM) was flagged by the endpoint safety monitoring answer and prompted an investigation by incident responders. The investigation revealed that earlier than deploying the PowerShell script, the attackers tried to deploy a number of DLLs that had been quarantined by the native antivirus as a result of they matched Win64/BianDoor.D. It is a detection signature for the group’s identified backdoor written within the Go programming language.
PowerShell reimplementation of the BianLian backdoor
The PowerShell script was extremely obfuscated, however the researchers managed to deobfuscate it and analyze its contents. The script had two important features: One known as muffins that applied a mechanism for connecting to a command-and-control server utilizing SSL streams and TCP sockets and one other operate known as cookies that applied the remainder of the backdoor execution and capabilities.
“Maybe essentially the most fascinating element of this complete backdoor was the modern use of the Runspace Pool along with the .NET PowerShell.Create() methodology to invoke a ScriptBlock with asynchronous capabilities, all whereas leveraging an SSL stream to go information between the C2 server and the contaminated system,” the researchers mentioned.
Most malicious PowerShell scripts depend on the Invoke-Command or Invoke-Expression PowerShell cmdlets to execute instructions or code on the system. By avoiding these well-known methods BianLian’s script is extra more likely to keep away from being flagged by safety merchandise. The Runspace Pool characteristic can be a extra performant method to execute instructions asynchronously.
BianLian’s Go backdoor makes use of digital certificates for authenticating the C2 server and this habits is replicated within the PowerShell script. Moreover, the IP tackle the script linked to was already flagged as a identified C2 server for BianLian’s GO backdoor, reinforcing the attribution to this group.
