Threat Research

Threat Assessment: BianLian

Unit42

Unit 42 analyzed the BianLian ransomware group’s activity and found a shift from encrypt-and-leak double extortion to stealing data and extorting victims without encryption, with heavy targeting of healthcare and manufacturing organizations primarily in the US and EU. The report highlights shared tooling with Makop (a custom .NET tool), use of stolen RDP credentials and ProxyShell exploits for initial access, SAM dumping, scheduled-task persistence using rundll32 to load a backdoor DLL, port scanning with Advanced Port Scanner, and numerous C2 IPs and file hashes. #BianLian #Makop

Keypoints

  • BianLian has been highly active since 2022 and shifted from encrypting victims to extorting via stolen data without encryption.
  • Unit 42 observed a shared custom .NET tool between BianLian and Makop, indicating possible code- or developer-sharing.
  • Initial access methods include stolen RDP credentials, ProxyShell exploitation, targeting VPN providers, and deploying web shells.
  • Post-compromise activity includes credential dumping (SAM hive written to %windir%Temp), network reconnaissance using Advanced Port Scanner, and lateral movement with public tools.
  • Persistence was achieved by dropping a backdoor DLL under c:programdatavmware[filename].dll and creating a scheduled task that runs rundll32 to invoke the DLL’s Entry export.
  • BianLian uses a Go-based backdoor/loader with hard-coded C2 IP:port that downloads and executes additional payloads; many encryptor and backdoor file hashes and C2 IPs are provided as IOCs.
  • Cortex XDR behavioral/anti-ransomware protections detected and prevented the encryptor, backdoor execution, SAM dumping, and scheduled-task creation in testing telemetry.

MITRE Techniques

  • [T1078] Valid Accounts – Use of stolen Remote Desktop Protocol (RDP) credentials to gain access. (‘Use stolen Remote Desktop Protocol (RDP) credentials’)
  • [T1190] Exploit Public-Facing Application – Exploitation of ProxyShell to compromise Exchange servers. (‘Exploit the ProxyShell vulnerability’)
  • [T1133] External Remote Services – Targeting VPN providers as an initial access vector. (‘Target virtual private network (VPN) providers’)
  • [T1505.003] Web Shell – Deployment of web shells to maintain access on compromised web servers. (‘deploying web shells’)
  • [T1003.002] OS Credential Dumping: Security Account Manager (SAM) – Dumping the SAM registry hive to a file in %windir%Temp for credential harvesting. (‘dumping of the Security Accounts Manager (SAM) registry hive into a file at %windir%Temp’)
  • [T1053] Scheduled Task/Job – Creation of a scheduled task (via impacket) to periodically execute the backdoor DLL. (‘used the impacket tool to create the following scheduled task’)
  • [T1218.010] Signed Binary Proxy Execution: Rundll32 – Using rundll32.exe to execute a backdoor DLL by calling its exported Entry function. (‘rundll32.exe c:programdatavmware[filename].dll,Entry’)
  • [T1046] Network Service Scanning – Using Advanced Port Scanner to enumerate open ports for lateral movement. (‘Advanced Port Scanner by Famatech was used from the following path:’)
  • [T1105] Ingress Tool Transfer – Backdoor acts as a loader that downloads and executes additional payloads on infected hosts. (‘downloading and executing additional payloads’)
  • [T1071] Application Layer Protocol – Backdoor C2 communications to hard-coded IP address and port. (‘The backdoor contains a hard-coded C2 IP address and port to communicate with.’)

Indicators of Compromise

  • [File hashes – encryptor] Examples of BianLian encryptor hashes – af46356eb70f0fbb0799f8a8d5c0f7513d2f6ade4f16d4869f2690029b511d4f, 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e, and many others (total list provided in report).
  • [File hashes – backdoor] Examples of BianLian backdoor hashes – c775e6d87a3bcc5e94cd055fee859bdb6350af033114fe8588d2d4d4f6d2a3ae, c57ca631b069745027d0b4f4d717821ca9bd095e28de2eafe4723eeaf4b062cf, and dozens more.
  • [Tool hash] Advanced Port Scanner sample – d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb (used for port scanning/recon).
  • [Tool hash] Custom .NET tool sample – 40126ae71b857dd22db39611c25d3d5dd0e60316b72830e930fba9baf23973ce (used for file enumeration, registry and clipboard collection).
  • [File paths/names] Persistence and execution artifacts – c:programdatavmware[filename].dll (backdoor DLL dropped), cmd/rundll32 scheduled task invocation, and C:Users%username%AppDataLocalTemp31Advanced_Port_Scanner_2.5.3869.exe (scanner drop path).
  • [C2 IPs] Command-and-control servers – examples 208.123.119[.]123, 13.215.228[.]73, 54.193.91[.]232, and many other IPs listed in the report.

Unit 42 technical summary:

BianLian operators typically gain initial access via stolen RDP credentials, ProxyShell exploitation of Exchange, targeting VPN infrastructure, or deploying web shells. After access they perform network reconnaissance (Advanced Port Scanner), move laterally using public tooling, and harvest credentials by dumping the SAM registry hive into %windir%Temp for offline cracking.

For persistence and execution they drop a Go-based backdoor DLL (commonly under c:programdatavmware[filename].dll) and create scheduled tasks (created via impacket) that invoke rundll32.exe to call the DLL’s exported Entry function. The backdoor serves principally as a loader: it contains a hard-coded C2 IP:port, downloads and executes additional payloads, and communicates over application-layer protocols to exfiltrate or stage data. Unit 42 provides extensive IOCs (encryptor/backdoor hashes, Advanced Port Scanner and .NET tool hashes, and numerous C2 IPs) and telemetry shows Cortex XDR behavioral modules detecting/preventing the described execution and post-exploitation activity.

Read more: https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint