BianLian Ransomware Gang Gives It a Go!

Earlier this year, [redacted] encountered a relatively new ransomware threat actor that called themselves BianLian. We observed the actor deploying custom malware that was written in the Go programming language, which posed some initial, but not insurmountable, reverse-engineering challenges. 

BianLian used subtle techniques to exploit, enumerate, and move laterally in victim networks to remain undetected and aggressively worked to counter Endpoint Detection & Response (EDR) protections during the encryption phase of their operations. The group has displayed signs of being new to the practical business aspects of ransomware and associated logistics. Generally they seemed to be experiencing the growing pains of a group of talented hackers new to this aspect of criminal extortion.

Infrastructure associated with the BianLian group first appeared online in December 2021 and their toolset appears to have been under active development since then. Finally, we have observed the BianLian threat actor tripling their known command and control (C2) infrastructure in the month of August, suggesting a possible increase in the actor’s operational tempo.

Initial Access

The BianLian group has successfully targeted the ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to gain initial access into victim networks. After exploitation, they deployed either a webshell or a lightweight remote access solution such as ngrok as the follow-on payload. BianLian has also targeted SonicWall VPN devices for exploitation, another common target for ransomware groups. Finally, while we do not have direct evidence of a successful attack, we have indications that the actor targets servers that provide remote network access via solutions such as Remote Desktop, attempting to exploit weak or exposed credentials. We have also observed dwell times of up to six weeks from the actor gaining initial access and the actual encryption event. 

Tactics On Target

With a beachhead established within a network, BianLian have shown themselves to be adept with the Living off the Land (LOL) methodology to move laterally, adjusting their operations based on the capabilities and defenses they encountered in the network. For example, they leveraged a combination of the Non-Sucking Service Manager nssm.exe and the reverse proxy ngrok.exe to create backdoors on the servers. Next, they leveraged RDP, WinRM, WMI, and PowerShell to achieve network profiling and lateral movement. Finally, they deployed their custom backdoor to a subset of compromised hosts to provide additional network access should their primary means be disrupted.

As BianLian would initially spread throughout a network, hunting for the most valuable data to steal and identify the most critical machines to encrypt, they appeared to take steps to minimize observable events. As an example, we have observed the threat actor choosing to avoid pinging a target and instead utilizing the arp command in network segments where the targeted host would be reachable. In instances where ping was necessary, the actor was judicious in the use, often sending just a single ping. While it is possible that a network defense solution could be configured in such a way to identify an abnormal ping, it is unlikely most common EDR and network security solutions would identify an actor performing targeted network reconnaissance via arp.

Once the BianLian actor identified a host they wished to access, they most often utilized standard LOL techniques such as net.exe to add and/or modify user permissions, netsh.exe to configure host firewall policies, and reg.exe to adjust various registry settings related to remote desktop and security policy enforcement.

Sample LOL commands observed:

• "C:\Windows\system32\net.exe" localgroup "Remote Desktop Users" <similar name to existing admin> /add
• "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
• "C:\Windows\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f

Even in the final hours prior to encryption, we observed the actor taking care to avoid detection. In one instance, the actor accessed the victim network to seemingly perform last minute network reconnaissance and/or target verification, again sending single pings and arp requests to hosts. The actor then disconnected from the network for approximately an hour before returning to begin their ransom attack in earnest.

Once BianLian made the decision that it was time to encrypt a victims network, they set aside their desire to remain undetected and took a much more aggressive approach, attacking any network and/or host based defense that impeded their custom encryptor tool.

Sample commands observed targeting defenses:

Targeting Windows Defender

• "C:\Windows\system32\Dism.exe" /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart

Targeting Windows Antimalware Scan Interface (AMSI)

• [Ref].Assembly.GetType(‘System.Management.Automation.AmsiUtils’).GetField(‘amsiInitFailed’,’NonPublic,Static’).SetValue($null,$true)

Targeting Sophos

• "C:\Windows\system32\reg.exe" ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /t REG_DWORD /v SAVEnabled /d 0 /f
• "C:\Windows\system32\reg.exe" ADD HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection /t REG_DWORD /v Enabled /d 0 /f

In one instance, BianLian encountered a server that was configured and defended in such a manner the actor was unable to successfully execute their encryptor. To overcome this, the actor installed TightVNC, modified a registry key to enable network access for TightVNC while in safe mode, then booted the server into safe mode. Since most security applications do not execute in safe mode, this enabled partial encryption of the server.  

• "C:\Windows\system32\reg.exe" copy hklm\system\CurrentControlSet\services\tvnserver hklm\system\CurrentControlSet\control\safeboot\network\tvnserver /s /f

In situations where the actor was able to overcome a victim’s defenses, BianLian utilized many of the common techniques observed in a modern ransomware attack such as deleting shadow copy files, deleting backups, as well as distributing and executing their custom encryptor via methods such as RDP, WMI, WinRM, and PowerShell scripts.

Example Encryption Timeline

In the hour before attempting the encryption phase of an attack, BianLian leveraged LOL tools to prime the network and targeted machines for attack in a less-alerting manner. They created administrator accounts on multiple servers using net.exe and dropped known-good binaries such as 7zip and winscp to enable last-minute data file exfiltration. When the actor started encryption operations, they moved aggressively and with speed. In 30 minutes, [redacted] witnessed dozens of attempts to encrypt a handful of servers, with each attempt blocked by EDR/AV. The actor then spent the next few hours both trying to circumvent security controls and gain access to additional servers that were not initially targeted in an attempt to successfully encrypt the victims files. 

Tools Used and Their Evolution

The BianLian group has developed a custom tool set consisting of a backdoor and an encryptor, developing both using the Go programming language. 

Encryptor

As first highlighted by MalwareHunterTeam, BianLian’s custom encryptor was developed in Go. This encryptor also appears to have been under active development since the BianLian group first came online earlier this year. As the MalwareHunterTeam noted, the samples highlighted in VirusTotal contain apparent versioning information:

• jack/Projects/project1/crypt27
• jack/Projects/project1/crypt28

The earliest version of the encryption binary we have been able to recover appears to be version 8 and was compiled using Go version 1.18.2:

SHA256: b60be0b5c6e553e483a9ef9040a9314dd54335de7050fed691a07f299ccb8bc6

As the actor has evolved this encryptor, so has the text used in the ransom note left behind on a victim’s computers. While the file name has remained constant, the level of detail and professionalism of the text has improved over time. 

Version 8 ransom note:

Version 27/28 ransom note:

As was reported by Cyble, BianLian’s custom encryptor operates on a file extension exclusion model. Once again, we can see that the actor has made adjustments to their binary in that the file types they target as they attempt to ransom victim networks has changed over time.

Compared to Version 27/28, Version 8 of the encryptor would not exclude .lnk files, but would additionally exclude files with the following extensions:

• .drv
• .bianlian
• .mui

Custom Backdoor

In addition to the encryptor, BianLian has developed a simple yet effective backdoor that they have deployed on machines within victim networks, enabling additional means of access. While some actors choose to deploy a full feature remote access tool with a multitude of built-in commands, BianLian’s backdoor is, at the core of it, an efficient mechanism for them to retrieve an arbitrary payload from their C2 servers, load it into memory and then execute it.

Each backdoor binary would be configured with a hardcoded IP and Port combination that it will attempt to communicate with. As an example, the binary below will attempt to establish a secure connection to 209.141.54[.]205 on port 5307.

SHA256: da7a959ae7ea237bb6cd913119a35baa43a68e375f892857f6d77eaa62aabbaf

We have observed BianLian deploy multiple backdoors into a victim network with each backdoor configured to either talk to a unique IP or a common IP but on different ports. Not only did this IP and port diversity provide the actor with multiple network paths into the victims network, but every binary would have a unique hash, defeating attempts to detect the backdoors via a simple checksum-based rule.

Infrastructure

In investigating BianLian’s infrastructure, it appeared the group prefers Linux-based hosts for their C2 servers, but we have also found evidence of Windows servers being utilized in their operations. While we do not have enough evidence to confidently identify the C2 software the group is using, we have seen indications that the C2 component is also written in the actors preferred language, Go, which would presumably allow them to easily deploy their C2 solution on either OS.

The number of active C2 nodes has also increased in relative relation to the development of the actor’s toolkit. Based on our research, the earliest known C2 server we have identified, 23.94.56[.]154, first appeared online at the end of December 2021 and remained active until early August of this year. From that initial IP, BianLian appeared to have gradually acquired new C2 servers, occasionally removing an IP, before reaching approximately ten active servers by the end of July. 

Starting in August, we observed what appeared to be a somewhat troubling explosion in the rate by which BianLian was bringing new C2 servers online. Throughout the month, BianLian continued to add new C2 nodes to their operational infrastructure, ending the month with approximately 30 active IPs, a three-fold increase in just a matter of weeks. While we lack the insight to know the exact cause for this sudden explosion in growth, this may signal that they are ready to increase their operational tempo, though whatever the reason, there is little good that comes from a ransomware operator having more resources available to them.

Victimology

As is the norm for a group conducting double extortion style ransomware attacks, the BianLian group maintained a leak site where they post the data they have exfiltrated from victim networks. While an unfortunate truth in the ransomware space is that the true number of organizations and victims of ransomware attacks will never be known, as of September 1, 2022, the BianLian site has posted details on twenty victim organizations. The threat actor also took the time to categorize the industry vertical of the victims and tagged the corresponding data.

The victim organizations range from small/medium size businesses to a large multinational company, with the majority of the companies based in North America, the UK and Australia.

In the past, BianLian has occasionally posted teaser information on victim organizations, leaving the victims identities masked, which may have served as an additional pressure mechanism on the victims in an attempt to have them pay the actors ransom demand.

We also note that this is a small sample size and continued observation will be required before drawing significant conclusions on victimology or any possible preference in targeting by BianLian.

Attribution 

While there is a long history of seemingly new ransomware groups rising from the ashes of defunct and/or rebranded groups, we do not have any indications at this time to suggest that is the case with BianLian. For all intents and purposes, the BianLian group appears to represent a new entity in the ransomware ecosystem. Furthermore, we assess that the BianLian actors represent a group of individuals who are very skilled in network penetration but are relatively new to the extortion/ransomware business. This hypothesis is based in part on our observations of how the BianLian group has managed the business side of a ransomware operation compared to their relative skill level in compromising and navigating victim networks. 

While the actor has proven themselves proficient at compromising a victim network, we have seen the actor:

• Mistakenly sending data from one victim to another.
• Possessing a relatively stable backdoor toolkit, but have an actively developing encryption tool with an evolving ransom note.
• Long delays in communications with victims.
• Through the groups own admission on their onion site, the business side of their infrastructure is unreliable.

Note: There is an Android banking trojan that has been referred to by some researchers as BianLian (a.k.a. Hydra.) To date, we have seen no indications that this is related to the BianLian ransomware group. 1 2

Recommendations

When mitigating the threat posed by ransomware actors, it is essential to use a layered approach. Focus needs to be placed on reducing your attack surface to avoid the most common types of exploitation techniques, but also preparing to act quickly and effectively when a compromise inevitably happens. 

This includes ensuring you have:

• An aggressive, prioritized patching regime; 
• Employ multi-factor authentication on every system that allows that as an option; 
• Visibility into your network and endpoint devices to quickly identify breaches; 
• Secure backups to allow return to business operations as soon as possible; 
• A well practiced incident response plan so everyone involved knows their role; and
• An assessment of your ‘Crown Jewels’ that can be used to both inform your security posture and decide ahead of an incident what data you could afford to have leaked so you can avoid paying the ransom.

In addition to these strategic recommendations, there are multiple opportunities for behavioral detections in the attack chain leveraged by BianLian:

1. Defense Evasion: Svchost not a child of services.exe

   • BianLian called one of their LOL tools svchost, then launched it via a process other than services.exe.

2. Defense Evasion: Svchost executing from an unusual path

   • BianLian called one of their LOL tools svchost.exe, then executed it from a non-standard path. 

3. Defense Evasion: Netsh to modify firewall rules

   • BianLian leveraged netsh to add a firewall rule to open 3389 to Remote Desktop. 

4. Reconnaissance: Ping -4 -n 1

   • BianLian used single pings to perform network reconnaissance. This is a false-positive prone alert.

5. Lateral Movement: Winrm dropping a file via PowerShell

   • The binary wsmprovhost.exe is used to mediate the relationship between WinRM and PowerShell. Alerting on file modification by wsmprovhost.exe proved a reliable method to detect BianLian dropping malicious files.

6. Lateral Movement: Unknown Binary Established Connection on 3389

   • If leveraging an EDR that classifies binaries as known and unknown and ties network connections to binaries, looking for 3389 in use by unknown binaries can be extremely fruitful. This rule detects BianLian’s custom Go backdoor. 

7. Credential Access: Account manipulation via net.exe

   • “Net user” is too loud to alert on in most environments, but we recommend alerting on a threshold of “net user” executions. Even a threshold as high as 10 events in 15 minutes would have detected BianLian in the attacks witnessed.

8. Execution: Unknown binary launching PowerShell

   • If leveraging an EDR that classifies binaries as known and unknown, searching for unknown binaries launching PowerShell will frequently detect use of the BianLian backdoor

9. Defense Evasion: Reg.exe modifying safeboot keys

   • BianLian added a remote access tool to safeboot keys in order to enable network access for their remote access tool in safeboot.

Indicators of Compromise

IP Context

Active C2s

Historical C2s

* These IPs were found in instances of BianLian’s backdoor, but we lack visibility on the timeframe(s) when the IPs may have been active.

Observed Command Lines

• "C:\Windows\system32\Dism.exe" /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart
• "C:\Windows\system32\net.exe" localgroup "Remote Desktop Users" <similar name to existing admin> /add
• "C:\Windows\system32\net.exe" user <legitimate admin account> 3gDZNxtsQ9G029k7D6Ljxe /domain
• "C:\Windows\system32\netsh.exe" advfirewall firewall set rule "group=remote desktop" new enable=Yes
• "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=allow RemoteDesktop" dir=in * protocol=TCP localport=3389 action=allow
• "C:\Windows\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /* v fAllowToGetHelp /t REG_DWORD /d 1 /f
• "C:\Windows\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal * Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
• "C:\Windows\system32\reg.exe" ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint * Defense\TamperProtection\Config" /t REG_DWORD /v SAVEnabled /d 0 /f
• "C:\Windows\system32\reg.exe" ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint * Defense\TamperProtection\Config" /t REG_DWORD /v SEDEnabled /d 0 /f
• "C:\Windows\system32\reg.exe" ADD * HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection /t REG_DWORD /v Enabled /d 0 /* f
• "C:\Windows\system32\reg.exe" copy hklm\system\CurrentControlSet\services\tvnserver * hklm\system\CurrentControlSet\control\safeboot\network\tvnserver /s /f
• \cmd.exe /Q /c net user "Administrator" /active:yes 1> \\127.0.0.1\C$\Windows\Temp\abjAlC 2>&1
• cmd.exe /Q /c net user "Administrator" ChangeMe2morrow! 1> \\127.0.0.1\C$\Windows\Temp\OxNEcz 2>&1
• cmd.exe /Q /c quser 1> \\127.0.0.1\C$\Windows\Temp\VXPrvY 2>&1
• "C:\Windows\system32\PING.EXE" -4 -n 1 *
• [Ref].Assembly.GetType(‘System.Management.Automation.AmsiUtils’).GetField(‘amsiInitFailed’,’NonPublic,* Static’).SetValue($null,$true)

MITRE ATT&CK Techniques

Tools For Researchers

During our research, we created some tool modifications for the AlphaGolang project to assist other security community researchers in working on the BianLian malware. The specific update is located here.