BianLian Ransomware Expanding C2 Infrastructure and Operational Tempo

The threat actors behind the BianLian Ransomware are rapidly expanding infrastructure, and it has been observed targeting manufacturing organizations.

Context

On September 1, 2022, researchers at the cybersecurity firm Redacted published a technical analysis of the BianLian ransomware. In the past month, BianLian has been observed being deployed against numerous sectors, including manufacturing, healthcare, and education. Throughout August, Redacted researchers reported observing BianLian threat actors rapidly expanding their command and control (C2) infrastructure and increasing their attack rate.

Technical Analysis

BianLian is written in the Go programming language, likely to frustrate reverse engineering efforts by security researchers and to make compromising multiple platforms easier for the threat actors deploying the ransomware.

According to Redacted researchers, the threat actor appears technically sophisticated in compromising targeted networks, but is likely inexperienced at ransomware operations, based on the following behaviors observed during the investigation:

• Mistakenly sending data from one victim to another.
• Possessing a relatively stable backdoor toolkit but have an actively developing encryption tool with an evolving ransom note.
• Long delays in communications with victims.
• Through the group’s own admission on their onion site, the business side of their infrastructure is unreliable.

Redacted researchers also noted that the BianLian threat actors targeted the ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and SonicWall VPN devices to gain initial access into victim networks. The threat actors also employ Living off the Land (LOL) methodology to move laterally, adjusting operations based on defensive controls present on infected networks.

Mitigation Options

Researchers with Redacted provided the following defensive measures:

• An aggressive, prioritized patching regime.
• Employ multi-factor authentication on every system that allows that as an option.
• Visibility into your network and endpoint devices to quickly identify breaches.
• Secure backups to allow return to business operations as soon as possible.
• A well-practiced incident response plan, so everyone involved knows their role.
• An assessment of your “Crown Jewels” that can be used to both inform your security posture and decide ahead of an incident what data you could afford to have leaked so you can avoid paying the ransom.

In addition to these strategic recommendations, there are multiple opportunities for behavioral detections in the attack chain leveraged by BianLian:

• Defense Evasion: Svchost not a child of services.exe
  • BianLian called one of their LOL tools svchost, then launched it via a process other than services.exe.
• Defense Evasion: Svchost executing from an unusual path
  • BianLian called one of their LOL tools svchost.exe, then executed it from a non-standard path.
• Defense Evasion: Netsh to modify firewall rules
  • BianLian leveraged netsh to add a firewall rule to open 3389 to Remote Desktop.
• Reconnaissance: Ping -4 -n 1
  • BianLian used single pings to perform network reconnaissance. This is a false-positive prone alert.
• Lateral Movement: Winrm dropping a file via PowerShell
  • The binary wsmprovhost.exe is used to mediate the relationship between WinRM and PowerShell. Alerting on file modification by wsmprovhost.exe proved a reliable method to detect BianLian dropping malicious files.
• Lateral Movement: Unknown Binary Established Connection on 3389
  • If leveraging an EDR that classifies binaries as known and unknown and ties network connections to binaries, looking for 3389 in use by unknown binaries can be extremely fruitful. This rule detects BianLian’s custom Go backdoor.
• Credential Access: Account manipulation via net.exe
  • “Net user” is too loud to alert on in most environments, but we recommend alerting on a threshold of “net user” executions. Even a threshold as high as 10 events in 15 minutes would have detected BianLian in the attacks witnessed.
• Execution: Unknown binary launching PowerShell
  • If leveraging an EDR that classifies binaries as known and unknown, searching for unknown binaries launching PowerShell will frequently detect use of the BianLian backdoor
• Defense Evasion: Reg.exe modifying safeboot keys
  • BianLian added a remote access tool to safeboot keys in order to enable network access for their remote access tool in safeboot.

IOCs

Redacted researchers provided the following indicators of compromise:

MITRE TTPs

Redacted researchers provided the following MITRE ATT&CK tactics, techniques, and procedures: