[MART] - Daily Diary #586 - Meet BianLian, another Cross-Platform Ransomware

ctas-mat at appgate.com ctas-mat at appgate.com
Thu Sep 1 21:30:18 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

09/01/2022 - Diary entry #586:

BianLian is a new Ransomware written in the Go language that has already claimed attacks against 15 organizations. Like many other groups, BianLian operates in the double-extortion model, threatening victims to publish stolen data into their wall-of-shame blog if the ransom is not paid.

The group’s infrastructure appeared online in December 2021 and has evolved since then, having a peak activity after mid-July this year. To begin their attacks, BianLian has exploited the ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to establish a foothold in the targeted systems. Then, to move laterally, they use Living-Off-The-Land (LOL) binaries and deploy lightweight backdoors such as the Ngrok reverse proxy or a custom backdoor.

Finally, to encrypt the files (using AES + RSA), BianLian uses a cross-platform Go language Ransomware that seems to be under active development, dropping a ransom note that provides a way of contacting the attackers and the address of their wall-of-shame blog if the ransom is not paid within 10 days.

BianLian is yet another example of a cross-platform Ransomware operating in the double-extortion business model. The group’s activities and new victims suggest that they are rapidly evolving, therefore we recommend organizations secure their environment as BianLian’s TTPs are getting well documented and publicly known.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220901/8513bcb1/attachment.htm>

More information about the MART mailing list