“The threat actor leveraged two files, winpty-agent.exe and winpty.dll to the build servers, which are legitimate files for winpty used to create an interface to run Windows commands,” the researchers said. “The threat actor used winpty-agent.exe on the build servers to remotely run commands from the exploited TeamCity server and leveraged BITSAdmin to deploy additional tools, including a malicious PowerShell script, web.ps1, to the server.”
Their attempts to dump credentials from the Windows Security Accounts Manager (SAM) was flagged by the endpoint security monitoring solution and prompted an investigation by incident responders. The investigation revealed that before deploying the PowerShell script, the attackers tried to deploy several DLLs that were quarantined by the local antivirus because they matched Win64/BianDoor.D. This is a detection signature for the group’s known backdoor written in the Go programming language.
PowerShell reimplementation of the BianLian backdoor
The PowerShell script was highly obfuscated, but the researchers managed to deobfuscate it and analyze its contents. The script had two main functions: One called cakes that implemented a mechanism for connecting to a command-and-control server using SSL streams and TCP sockets and another function called cookies that implemented the rest of the backdoor execution and capabilities.
“Perhaps the most interesting component of this whole backdoor was the innovative use of the Runspace Pool in conjunction with the .NET PowerShell.Create() method to invoke a ScriptBlock with asynchronous capabilities, all while leveraging an SSL stream to pass data between the C2 server and the infected system,” the researchers said.
Most malicious PowerShell scripts rely on the Invoke-Command or Invoke-Expression PowerShell cmdlets to execute commands or code on the system. By avoiding these well-known techniques BianLian’s script is more likely to avoid being flagged by security products. The Runspace Pool feature is also a more performant way to execute commands asynchronously.
BianLian’s Go backdoor uses digital certificates for authenticating the C2 server and this behavior is replicated in the PowerShell script. Furthermore, the IP address the script connected to was already flagged as a known C2 server for BianLian’s GO backdoor, reinforcing the attribution to this group.