Increases in the command and control infrastructure of the new cross-platform ra...
Secure Blink threat researchers have observed that Golan-based malware has grown in prominence, most likely due to its cross-platform functionalities and the fact that it makes reverse engineering even more complex. Threats developed using the Go language, such as Ransomware, RAT, Stealer, etc.
The ransomware has targeted many well-known organizations (9 victims so far) across several industry sectors such as Manufacturing, Education, Healthcare, BFSI, etc. across Australia, North America, and the United Kingdom, primarily targeting SonicWall VPN devices and the Microsoft Exchange Server ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
## Attack Flow
The ransomware group first exploits the ProxyShell flaws to obtain access and then installs a Web shell or ngrok payload to monitor the victim's activity. According to analysts, the gang has taken precautions to avoid detection and minimize observable events as it seeks for data and selects machines to encrypt.
According to the paper, BianLian deployed typical _"living off the land"_ (LoL) techniques for network profiling and lateral mobility. These included net.exe for adding and/or modifying user rights, netsh.exe for configuring host firewall policies, and reg.exe for modifying remote desktop and security policy enforcement registry settings.
In addition to utilizing LoL techniques, the group is also known to deploy a bespoke implant as an additional method for sustaining constant network access. This _"simple but effective"_ backdoor's primary purpose is to retrieve arbitrary payloads from a remote server, load them into memory, and then execute them.
BianLian has demonstrated proficiency with lateral movement techniques, altering their operations based on the network's capabilities and defenses, according to the assessment.
BianLian, like other new cross-platform ransomware such as Agenda, Monster, and RedAlert, is capable of starting servers in Windows Safe Mode to execute its file-encrypting malware while evading detection by system-installed security solutions. In addition to deleting snapshots, removing backups, and running its Golang encryption module via Windows Remote Management (WinRM) and PowerShell scripts, additional methods were taken to evade security obstacles.
The group's emergence contributes to the expanding number of threats utilizing Golang as a base language, which enables adversaries to make rapid modifications to a single code base that can subsequently be produced for various platforms.
In the figure below, we have prepared a breakdown of the industries targeted by the BianLian ransomware
![Fig 1 Top Industries Targeted By BianLian.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Fig_1_Top_Industries_Targeted_By_Bian_Lian_0ff434142a.jpg)
***Figure 1 – Industries Targeted by the BianLian Ransomware***
## Technical Analysis
For this evaluation, we used the hash of the 64-bit GoLang binary executable `eaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2 (SHA256)`
Below is the unique build ID of the GoLang ransomware.
***Figure 2 – Go Build Identifier***
When the ransomware is executed, it checks the wine get version() method using the GetProcAddress() API to see if the file is operating in a WINE environment.
***Figure 3 – Anti-analysis Technique***
After that, the ransomware uses the CreateThread() API call to generate numerous threads in order to encrypt files more quickly, making it more challenging to reverse engineer the malware. The diagram below depicts the many threads produced by the ransomware.
***Figure 4 - Creation of Multiple Threads***
Using the GetDriveTypeW() API function, the malware then identifies the system drives (from A: to Z:) and encrypts all files available on the associated devices. The malware then dumps a ransom letter with the filename "Look at these instructions.txt" in various folders.
The ransomware generates a notice with the following content.
***Figure 5 - Depicts malware composing ransom notes***
After dropping the ransom message, the malware enumerates files and directories using the FindFirstFileW() and FindNextFileW() API calls to search for encryption.
The following file extensions and file/folder names are exempt from encryption by the ransomware:
On the victim's encryption, the ransomware encrypts files using GoLang Packages including crypto/cipher, crypto/aes, and crypto/rsa.
***Figure 6- Hardcoded "Crypto" Strings in GoLang Packages***
The malware separates the file's contents into 10-byte chunks for encryption purposes. It first takes 10 bytes from the source file, encrypts them, and then writes the encrypted data to the destination file. It is possible to avoid detection by anti-virus software by slicing the data into little pieces.
The image below depicts the code fragment of the encryption loop as well as the original and infected file contents prior to and after encryption.
***Figure 7 – Encryption algorithm and original/encrypted file content***
As demonstrated below, the malware then renames the encrypted files with the ".bianlian" extension and replaces them with the original file using the MoveFileExW() API method.
***Figure 8 - MoveFileExW() API***
Using the following command line, the ransomware deletes itself, leaving just the encrypted files and the ransom notice on the victim's computer.
`cmd /c del C:UsersAdmin>Desktopnew one.exe`
The image below depicts the BianLian ransomware encrypted files and ransom note text file after a victim's computer has been successfully infected.
***Figure 9 - BianLian ransomware-encrypted files***
In the ransom note, victims are instructed on how to contact the threat actors in order to get their encrypted files restored.
If the ransom is not paid within ten days, the threat actors threaten that their victims' sensitive information, including financial, client, company, technical, and personal files, has been downloaded and will be uploaded on their leak site.
The ransom message also includes the TOX Messenger ID for ransom discussions as well as the Onion URL of the leak site page, as depicted in the figure below.
***Figure 10 – Ransom note***
The image below depicts the BianLian ransomware Onion leak homepage and the extortion items of the affected company.
***Figure 11 -The homepage of the BianLian Leak website is depicted***
The BianLian Leak website offers a list of all firms hit by ransomware and the contact information for the TA for ransomware data recovery.
***Figure 12 - List of BianLian Leak site affected companies and contact information for threat actors***
Organizational efficiency and security are two areas that are being negatively impacted by the rise of ransomware as an attack vector. BianLian is a GoLang-based malware that has infiltrated several businesses and is demanding astronomical sums in return for decryption keys. The threat actors use a twofold extortion strategy, taking data from the victimized company and then publishing it online if the ransom is not paid in a timely fashion.
For different reasons, threat actors choose to create their ransomware in GoLang because it allows a single codebase to be compiled into all main operating systems. The threat actors in charge of BianLian are constantly adapting and expanding their toolset so as to remain undetected.
Secure Blink will keep an eye out for BianLian and similar Ransomware gangs and evaluate their actions to learn more about their goals.