“The risk actor leveraged two recordsdata, winpty-agent.exe and winpty.dll to the construct servers, that are professional recordsdata for winpty used to create an interface to run Home windows instructions,” the researchers stated. “The risk actor used winpty-agent.exe on the construct servers to remotely run instructions from the exploited TeamCity server and leveraged BITSAdmin to deploy extra instruments, together with a malicious PowerShell script, internet.ps1, to the server.”
Their makes an attempt to dump credentials from the Home windows Safety Accounts Supervisor (SAM) was flagged by the endpoint security monitoring answer and prompted an investigation by incident responders. The investigation revealed that earlier than deploying the PowerShell script, the attackers tried to deploy a number of DLLs that had been quarantined by the native antivirus as a result of they matched Win64/BianDoor.D. This can be a detection signature for the group’s recognized backdoor written within the Go programming language.
PowerShell reimplementation of the BianLian backdoor
The PowerShell script was extremely obfuscated, however the researchers managed to deobfuscate it and analyze its contents. The script had two foremost features: One referred to as truffles that carried out a mechanism for connecting to a command-and-control server utilizing SSL streams and TCP sockets and one other perform referred to as cookies that carried out the remainder of the backdoor execution and capabilities.
“Maybe essentially the most attention-grabbing element of this entire backdoor was the progressive use of the Runspace Pool together with the .NET PowerShell.Create() methodology to invoke a ScriptBlock with asynchronous capabilities, all whereas leveraging an SSL stream to go knowledge between the C2 server and the contaminated system,” the researchers stated.
Most malicious PowerShell scripts depend on the Invoke-Command or Invoke-Expression PowerShell cmdlets to execute instructions or code on the system. By avoiding these well-known strategies BianLian’s script is extra more likely to keep away from being flagged by security merchandise. The Runspace Pool characteristic can also be a extra performant technique to execute instructions asynchronously.
BianLian’s Go backdoor makes use of digital certificates for authenticating the C2 server and this conduct is replicated within the PowerShell script. Moreover, the IP tackle the script related to was already flagged as a recognized C2 server for BianLian’s GO backdoor, reinforcing the attribution to this group.
