The BianLian threat actor has been observed shifting toward extortion-only activities, according to recent findings by GuidePoint’s Research and Intelligence Team (GRIT).
Following Avast’s release of a decryptor for BianLian in January 2023, the group has altered its tactics.
In a recent incident response, GRIT, in collaboration with GuidePoint’s DFIR team, uncovered new details of BianLian’s modus operandi. Exploiting vulnerabilities in a TeamCity server, the threat actor gained initial access into the victim’s environment. Utilizing a PowerShell implementation of the BianLian GO backdoor, the attacker executed a series of malicious commands.
The intrusion started with the exploitation of known TeamCity vulnerabilities CVE-2024-27198 and CVE-2023-42793, allowing the threat actor to infiltrate the victim’s system. Once inside, the attacker used Windows commands to navigate the network landscape, eventually compromising two build servers.
Read more on CVE-2024-27198: TeamCity Users Urged to Patch Critical Vulnerabilities
Through the deployment of legitimate files winpty-agent.exe and winpty.dll, the attacker remotely executed commands and introduced malicious tools, including the web.ps1 PowerShell script.
In an advisory published last Friday, GuidePoint said that despite initial challenges with their standard GO backdoor, BianLian successfully pivoted to a PowerShell-based alternative, showcasing adaptability in their approach. While the PowerShell script exhibited obfuscation techniques, further analysis revealed its true intent was to serve as a backdoor facilitating remote control over compromised systems.
Moreover, the script used advanced techniques such as Runspace Pools and SSL streams for asynchronous command execution, underscoring the threat actor’s sophistication. The use of SSL certificate validation and IP address resolution techniques further indicated a connection to BianLian’s previous tactics, aiding in attribution efforts.
“As we have seen throughout 2023 and into 2024, BianLian continues to prove how they can adapt to a changing environment, especially in regards to the exploitation of emerging vulnerabilities,” reads the advisory.
“This behavior aligns with what GRIT has assessed and hypothesized in our 2024 ransomware report, and we expect this type of behavior to continue to grow, especially for groups that leverage a data-exfiltration-only approach to ransomware.”
To counter threats like this, GuidePoint advised focusing on preparedness: patching external apps, practicing incident response, conducting threat intel-informed pen tests and leveraging threat intel.