Cyble Research Labs highlights BianLian as a Go language-based ransomware variant that targets multiple industries and leverages cross-platform capabilities to complicate reverse engineering. The campaign includes file encryption across drives, ransom notes, and double extortion via a leak site, with anti-analysis techniques such as WINE environment checks. #BianLian #GoLang #TOXMessenger #BianLianLeakSite
Keypoints
- BianLian is a GoLang-based ransomware variant that has been observed targeting multiple industries including Manufacturing, Education, Healthcare, and BFSI.
- The family was first identified mid-July 2022 and has impacted several organizations (9 victims noted in Cyble’s analysis).
- It performs anti-analysis checks, including detecting a WINE environment by querying wine_get_version() via GetProcAddress().
- Encryption is performed with GoLang crypto packages (crypto/cipher, crypto/aes, crypto/rsa) and uses multi-threading (CreateThread) to speed up processing.
- The malware enumerates drives (A:–Z:) with GetDriveTypeW() and enumerates files with FindFirstFileW/FindNextFileW, excluding certain extensions/names.
- Thwarting AV detection, it splits data into small chunks (10-byte blocks) during encryption and later renames files to the .bianlian extension, using MoveFileExW to replace originals.
- A ransom note is dropped in multiple folders (Look at this instruction.txt) and the attackers conduct double extortion by leaking stolen data on a leak site and offering TOX Messenger contact for negotiations.
MITRE Techniques
- [T1204] User Execution – Upon execution, the ransomware behavior aligns with execution steps described in the article. “Upon execution of the ransomware, it attempts to identify if the file is running in a WINE environment by checking the wine_get_version() function via the GetProcAddress() API.”
- [T1059] Command and Scripting Interpreter – Execution context involves interacting with system APIs during runtime, including the GetProcAddress() usage for environment checks. “Upon execution of the ransomware, it attempts to identify…”
- [T1497] Virtualization/Sandbox Evasion – Anti-analysis checks to detect sandbox/WINE environments. “wine_get_version() function via the GetProcAddress() API.”
- [T1027] Software Packing – Evasion through obfuscation/chunking to hinder AV detection. “Dividing the data into small chunks is a method to evade detection by Anti-Virus products.”
- [T1036] Masquerading – The GoLang-based ransomware presents a single codebase across platforms to avoid detection. “The TAs behind BianLian are constantly making changes and adding new capabilities to avoid detection.”
- [T1083] File and Directory Discovery – Enumerates targeted files using FindFirstFileW() and FindNextFileW(). “Searches files and directories for encryption by enumerating them…”
- [T1082] System Information Discovery – Basic information about the binary build is disclosed (build ID) as part of the technical analysis. “The unique build ID of the GoLang ransomware is shown below.”
- [T1518] Security Software Discovery – Indirectly indicated by anti-analysis measures and chunking to bypass defenses.
- [T1120] Peripheral Device Discovery – Indirectly related to drive enumeration across A:–Z: drives.
- [T1486] Data Encrypted for Impact – Core impact of the malware is file encryption using GoLang crypto libraries. “Data encryption for impact,” and use of crypto packages.
- [T1091] Replication Through Removable Media – Indication of lateral movement capability via removable media in the technique map.
Indicators of Compromise
- [Hash] MD5 – 0c756fc8f34e409650cd910b5e2a3f00, 08e76dd242e64bb31aec09db8464b28f
- [Hash] SHA1 – 70d1d11e3b295ec6280ab33e7b129c17f40a6d2f, 3f3f62c33030cfd64dba2d4ecb1634a9042ba292
- [Hash] SHA256 – eaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2, 1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43
Read more: https://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/