BianLian Threat Actor Shifts Focus to Extortion-Only Tactics

March 11, 2024 – Published on Infosecurity Magazine

The BianLian threat actor has been observed shifting toward extortion-only activities, according to recent findings by GuidePoint’s Research and Intelligence Team (GRIT).

Following Avast’s release of a decryptor for BianLian in January 2023, the group has altered its tactics.

In a recent incident response, GRIT, in collaboration with GuidePoint’s DFIR team, uncovered new details of BianLian’s modus operandi. Exploiting vulnerabilities in a TeamCity server, the threat actor gained initial access into the victim’s environment. Utilizing a PowerShell implementation of the BianLian GO backdoor, the attacker executed a series of malicious commands.

The intrusion started with the exploitation of known TeamCity vulnerabilities CVE-2024-27198 and CVE-2023-42793, allowing the threat actor to infiltrate the victim’s system. Once inside, the attacker used Windows commands to navigate the network landscape, eventually compromising two build servers. 

Through the deployment of legitimate files winpty-agent.exe and winpty.dll, the attacker remotely executed commands and introduced malicious tools, including the web.ps1 PowerShell script.

In an advisory published last Friday, GuidePoint said that despite initial challenges with their standard GO backdoor, BianLian successfully pivoted to a PowerShell-based alternative, showcasing adaptability in their approach. While the PowerShell script exhibited obfuscation techniques, further analysis revealed its true intent was to serve as a backdoor facilitating remote control over compromised systems.

Read More HERE.