An Introduction to BianLian Ransomware

BianLian is a threat actor known for operating the BianLian ransomware. Initially, it emerged as an Android banking trojan back in 2019. Much like the traditional Chinese art of “face-changing” from which it takes its name, BianLian has displayed impressive adaptability. It has transitioned its activities to primarily focus on ransomware attacks, first appearing as a ransomware strain in July 2022. This group has gained a reputation for swiftly evolving its tactics, improving its code, and diversifying its attack methods in order to evade detection and counter defensive measures.

BianLian Ransomware Victimology

BianLian has widened its scope of targets. While it initially focused on individual users when operating as a banking trojan, its transformation into a more sophisticated ransomware has led to the inclusion of businesses, government entities, healthcare institutions, and educational organizations among its target sectors.

Targeted Sectors: The group displays a particular interest in sectors that possess sensitive data and the financial capability to meet substantial ransom demands. These sectors encompass:

1. Financial institutions
2. Government
3. Professional Services
4. Manufacturing
5. Media & Entertainment
6. Healthcare
7. Education
8. Legal

Targeted Countries: In terms of geographical focus, the group’s operations have a global reach, but a higher frequency of attacks is recorded in North America, followed by Asia and Europe. This may indicate that BianLian is directing its efforts toward regions with significant economic importance.

Notably, BianLian predominantly selects organizations located in the United States, accounting for approximately 60% of its targets. The United Kingdom (10%) and Canada (7%) follow as the next most frequently targeted victims of BianLian.

Recently attacks have been high frequency. In October 2023 the group targeted Dow Golub Remels & Beverly, Griffing, International Biomedical, Low Keng Huat, TNT Plastic Molding, Prasan Enterprises, PT Pelabuhan Indonesia III and Instron. In November they hit Plastic Molding Technology and the Jebsen Group. Finally, December has kicked off to a busy start with hits on Akumin, Acero Engineering, AMCO Proteins, the SML Group, Independent Recovery Resources, Commonwealth Capital and Greenbox Loans,

Malware, Toolset & TTPs

BianLian employs a multi-stage attack strategy. It typically gains initial access to a target system through spearphishing emails containing malicious attachments or links to compromised websites. Once inside, the malware establishes communication with its command and control (C2) server, fetching additional modules and tools. This enables it to escalate privileges and establish a lasting foothold in the compromised system.

Initial Access: BianLian’s initial access to networks often involves exploiting compromised Remote Desktop Protocol (RDP) credentials, potentially obtained from initial access brokers or via phishing.

Command and Control (C2): The group deploys custom backdoors tailored to each victim, coded in Go. They also install remote management and access software such as TeamViewer, Atera Agent, SplashTop, and AnyDesk for maintaining persistence and managing the system. Additionally, the group creates and activates local administrator accounts and alters their passwords.

Defense Evasion: BianLian utilizes PowerShell and Windows Command Shell to disable antivirus tools, specifically targeting Windows Defender and Anti-Malware Scan Interface (AMSI).

Discovery: The group employs various tools, which they initially download to the victim environment, to gather information about the victim’s network. These tools include Advanced Port Scanner, SoftPerfect Network Scanner (netscan[.]exe), SharpShares, and PingCastle. BianLian also leverages native Windows tools and Windows Command Shell to query details about logged-in users, inquire about domain controller configurations, and retrieve data about accessible devices on the network.

Credential Access: BianLian utilizes valid accounts for lateral movement within the network and for other follow-up activities. They seek to obtain these credentials by using Windows Command Shell to search for unsecured credentials on the local machine, harvest credentials from the Local Security Authority Subsystem Service (LSASS) memory, download RDP Recognizer to the victim system, and attempt to access an Active Directory domain database (NTDS.dit).

Persistence and Lateral Movement: For lateral movement, BianLian employs tools like PsExec and RDP along with valid accounts. Before using RDP, they utilize Command Shell and native Windows tools to add user accounts to the local Remote Desktop Users group, modify the added account’s password, and adjust Windows firewall rules to allow incoming RDP traffic.

BianLian ransomware encrypts the victim’s data, rendering it inaccessible. The attackers then demand a ransom payment in exchange for restoring access to the encrypted data.

The group initially employed a double-extortion model, encrypting data after exfiltrating it. However, with the success of the decryptor released by Avast, the group transitioned to an exfiltration-based model to ensure they would receive the ransom payment.

Origins and Affiliates:

Unknown.