BianLian Ransomware Leveraging RDP Credentials To Gain Initial Access


BianLian emerged in 2022, and after its emergence rapidly, it became one of the three most active ransomware groups. 

They started their operations by exploiting RDP, ProxyShell, and SonicWall VPN vulnerabilities. 

EHA

The cybersecurity researchers at Juniper affirmed that the operators of this ransomware group do so for the initial access using customized Go malware and living off-the-land techniques.

In early 2023, after Avast released a decryptor, this shifted from encryption or double extortion to simply stealing and extorting.

BianLian Ransomware Leveraging RDP Credentials

By May 2023, victim postings had peaked before declining due to improved defenses and law enforcement attention.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

But early 2024 witnessed a resurgence with more than ninety new victims, demonstrating BianLian’s resilience and adaptability in the ransomware landscape.

BianLian’s 2024 strategy was based on selecting high-value industries with legal services (23.7%) and healthcare placed at the forefront because of their vulnerability to such data.

BianLian Ransomware Leveraging RDP Credentials To Gain Initial Access
Industry vertical distribution of Bianlian victims in 2024 (Source – Juniper)

In mid-January, BianLian experienced a sharp rise in threat actors involved in its C2 infrastructure, as they deployed more than fifteen new servers within twenty-four hours.

This trend in C2 infrastructure activities occurred alongside an increase in victim postings, which coincided with hackers’ hacking of TeamCity servers and the subsequent development of a PowerShell-based backdoor toolkit by the group.

The ransomware campaigns of this operator highlighted its ability to adapt to different sectors’ victims and the strategic timing of infrastructure expansion.

BianLian’s C2 infrastructure in 2023-2024 reveals strategic variety. Mostly, they use 443 ports (18.59%) and 8443 (9.94%) for HTTPS traffic, followed by 46.47% that apply divergent other ports to avoid detection.

BianLian Ransomware Leveraging RDP Credentials To Gain Initial Access
Industry vertical distribution of Bianlian victims in 2024 (Source – Juniper)

In mid-January, BianLian experienced a sharp rise in threat actors involved in its C2 infrastructure, as they deployed more than fifteen new servers within twenty-four hours.

This trend in C2 infrastructure activities occurred alongside an increase in victim postings, which coincided with hackers’ hacking of TeamCity servers and the subsequent development of a PowerShell-based backdoor toolkit by the group.

The ransomware campaigns of this operator highlighted its ability to adapt to different sectors’ victims and the strategic timing of infrastructure expansion.

BianLian’s C2 infrastructure in 2023-2024 reveals strategic variety. Mostly, they use 443 ports (18.59%) and 8443 (9.94%) for HTTPS traffic, followed by 46.47% that apply divergent other ports to avoid detection.

BianLian Ransomware Leveraging RDP Credentials To Gain Initial Access
Bindiff of 2024 and 2023 version of the Go backdoor showing the changes in the logging routine (Source – Juniper)

The Go-based backdoor using modules mimux and soso operates as a loader with a hardcoded c2 address. Recent versions switched from log.Print to a Logger function in 2024 for more flexible logging.

BianLian Ransomware Leveraging RDP Credentials To Gain Initial Access
Golang libraries used by BianLian’s Go backdoor (Source – Juniper)

This infrastructure design illustrates BianLian’s attempt to merge with lawful traffic, diversify hosting, and strengthen its malware so it may be used in prolonged manageable attack instances.

Besides this, a Linux variant has been discovered, which is part of the Go-based tools used by BianLian to launch attacks on different operating systems.

The group concentrates on engineering, healthcare, and legal services that prop high-value targets.

They have continued to evolve by switching from encryption to pure data theft and extortion. They are even building new backdoor versions with improved logging functions.

This growth and a simultaneous strategic diversification of their infrastructural set-up support constant vigilance and cross-platform defense against this advanced threat actor.

IoCs

  • 3b309c076c26f27f42dbab8c89f05df51c414e87529251dc2d9946e7bc694f29 
  • 72d91293ff1a91587af3997081f65eac819d2ff73655837dc68a447d371ca2f1 
  • f9421165e4a62c7a1941b7b3fa73ac6f2149e7ffab3a6a622406baabf1933a2e 
  • 834ab96263cca7b01b3ae6549a9811b56204e714402215ce37fb602732b981d1 
  • B12be86af46b0267d86fcacef0a58bad0d157a7a044f89a453082b32503bd3c0 
  • ec2-13-215-228-73[.]ap-southeast-1[.]compute[.]amazonaws[.]com 
  • 104[.]238[.]61[.]20 
  • 45[.]56[.]165[.]131 
  • 146[.]59[.]102[.]74 
  • 45[.]56[.]165[.]131 

“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo



Source link