BianLian Ransomware Gang Gives It a Go!

MITRE Techniques

• [T1190] Initial Access: Exploit Public-Facing Application – The BianLian group has successfully targeted the ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to gain initial access into victim networks. “The BianLian group has successfully targeted the ProxyShell vulnerability chain … to gain initial access into victim networks.”
• [T1047] Execution: Windows Management Instrumentation – They leveraged RDP, WinRM, WMI, and PowerShell to achieve network profiling and lateral movement. “they leveraged RDP, WinRM, WMI, and PowerShell to achieve network profiling and lateral movement.”
• [T1059.001] Execution: Command and Scripting Interpreter: PowerShell – PowerShell is used in conjunction with other LOL tools for execution and lateral movement. “PowerShell” is among the tools used to achieve network profiling and lateral movement.
• [T1098] Persistence: Account Manipulation – They create/modify administrator accounts on multiple servers as part of persistence. “create administrator accounts on multiple servers” (sample timeline mentions enabling admin accounts and password changes).
• [T1078] Persistence: Valid Accounts – Use of admin accounts and persistent access to remote systems. “Admin accounts enabled and existing admin account passwords changed…”
• [T1562.001] Defense Evasion: Impair Defenses: Disable or Modify Tools – Targeting Windows Defender with disable commands. “Targeting Windows Defender” and related DISM commands to disable Defender.
• [T1526.004] Defense Evasion: Impair Defenses: Disable or Modify System Firewall – Modifying firewall rules via netsh to allow Remote Desktop access. “netsh to configure host firewall policies” and specific firewall rule additions.
• [T1036] Defense Evasion: Masquerading – Using svchost-style tool names and non-standard paths to hide tools. “called one of their LOL tools svchost, then launched it via a process other than services.exe.”
• [T1112] Defense Evasion: Modify Registry – Adjusting registry to enable/modify RDP and security policy enforcement. “reg.exe to adjust various registry settings related to remote desktop and security policy enforcement.”
• [T1069] Discovery: Permission Groups Discovery – Modifying user groups/permissions to identify targets and prepare encryption. “net.exe localgroup … /add” demonstrates permission changes.
• [T1018] Discovery: Remote System Discovery – Profiling and identifying target systems for encryption and data exfiltration. “network profiling” and targeted host selection.
• [T1021.001] Lateral Movement: Remote Services: Remote Desktop Protocol – Using RDP to move laterally. “RDP” is mentioned as a means of movement.
• [T1021.005] Lateral Movement: Remote Services: VNC – Backdoors and remote access methods enabling lateral movement via remote services. (Referenced in MITRE mapping in the article.)
• [T1021.006] Lateral Movement: Remote Services: Windows Remote Management – WMI/WinRM usage for lateral movement. “WinRM” and “WMI” are used for movement.
• [T1090] Command and Control: Proxy – Use of proxy-like tools to conceal C2 communications. “proxy” is cited in the malware’s behavior.
• [T1071.001] Command and Control: Application Layer Protocol: Web Protocol – Web-based C2 channels via web payloads or ngrok/webshell. “webshell or lightweight remote access solution such as ngrok” and “Web Protocol” C2 used.
• [T1486] Impact: Data Encrypted for Impact – Encryption of victim data during the encryption phase. “encryption event” and observed encryption attempts.