BianLian Ransomware Leveraging RDP Credentials To Gain Initial Access
BianLian emerged in 2022, and after its emergence rapidly, it became one of the three most active ransomware groups.
They started their operations by exploiting RDP, ProxyShell, and SonicWall VPN vulnerabilities.
The cybersecurity researchers at Juniper affirmed that the operators of this ransomware group do so for the initial access using customized Go malware and living off-the-land techniques.
In early 2023, after Avast released a decryptor, this shifted from encryption or double extortion to simply stealing and extorting.
BianLian Ransomware Leveraging RDP Credentials
By May 2023, victim postings had peaked before declining due to improved defenses and law enforcement attention.
Are you from SOC/DFIR Teams? – Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
But early 2024 witnessed a resurgence with more than ninety new victims, demonstrating BianLian’s resilience and adaptability in the ransomware landscape.
BianLian’s 2024 strategy was based on selecting high-value industries with legal services (23.7%) and healthcare placed at the forefront because of their vulnerability to such data.
Industry vertical distribution of Bianlian victims in 2024 (Source – Juniper)
In mid-January, BianLian experienced a sharp rise in threat actors involved in its C2 infrastructure, as they deployed more than fifteen new servers within twenty-four hours.
This trend in C2 infrastructure activities occurred alongside an increase in victim postings, which coincided with hackers’ hacking of TeamCity servers and the subsequent development of a PowerShell-based backdoor toolkit by the group.
The ransomware campaigns of this operator highlighted its ability to adapt to different sectors’ victims and the strategic timing of infrastructure expansion.
BianLian’s C2 infrastructure in 2023-2024 reveals strategic variety. Mostly, they use 443 ports (18.59%) and 8443 (9.94%) for HTTPS traffic, followed by 46.47% that apply divergent other ports to avoid detection.
Industry vertical distribution of Bianlian victims in 2024 (Source – Juniper)
In mid-January, BianLian experienced a sharp rise in threat actors involved in its C2 infrastructure, as they deployed more than fifteen new servers within twenty-four hours.
This trend in C2 infrastructure activities occurred alongside an increase in victim postings, which coincided with hackers’ hacking of TeamCity servers and the subsequent development of a PowerShell-based backdoor toolkit by the group.
The ransomware campaigns of this operator highlighted its ability to adapt to different sectors’ victims and the strategic timing of infrastructure expansion.
BianLian’s C2 infrastructure in 2023-2024 reveals strategic variety. Mostly, they use 443 ports (18.59%) and 8443 (9.94%) for HTTPS traffic, followed by 46.47% that apply divergent other ports to avoid detection.
Bindiff of 2024 and 2023 version of the Go backdoor showing the changes in the logging routine (Source – Juniper)
The Go-based backdoor using modules mimux and soso operates as a loader with a hardcoded c2 address. Recent versions switched from log.Print to a Logger function in 2024 for more flexible logging.
Golang libraries used by BianLian’s Go backdoor (Source – Juniper)
This infrastructure design illustrates BianLian’s attempt to merge with lawful traffic, diversify hosting, and strengthen its malware so it may be used in prolonged manageable attack instances.
Besides this, a Linux variant has been discovered, which is part of the Go-based tools used by BianLian to launch attacks on different operating systems.
The group concentrates on engineering, healthcare, and legal services that prop high-value targets.
They have continued to evolve by switching from encryption to pure data theft and extortion. They are even building new backdoor versions with improved logging functions.
This growth and a simultaneous strategic diversification of their infrastructural set-up support constant vigilance and cross-platform defense against this advanced threat actor.
IoCs
3b309c076c26f27f42dbab8c89f05df51c414e87529251dc2d9946e7bc694f29
72d91293ff1a91587af3997081f65eac819d2ff73655837dc68a447d371ca2f1
f9421165e4a62c7a1941b7b3fa73ac6f2149e7ffab3a6a622406baabf1933a2e
834ab96263cca7b01b3ae6549a9811b56204e714402215ce37fb602732b981d1
B12be86af46b0267d86fcacef0a58bad0d157a7a044f89a453082b32503bd3c0
ec2-13-215-228-73[.]ap-southeast-1[.]compute[.]amazonaws[.]com
104[.]238[.]61[.]20
45[.]56[.]165[.]131
146[.]59[.]102[.]74
45[.]56[.]165[.]131
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo
The post BianLian Ransomware Leveraging RDP Credentials To Gain Initial Access appeared first on Cyber Security News.