September 26, 2022

TheCyberThrone

Thinking Security ! Always

BianLian Ransomware too written in Golang

A new ransomware group with name BianLian has become increasingly in action now

The threat actor already has twenty alleged victims across several industries including insurance, medicine, law and engineering. The majority of the victim organizations have been based in Australia, North America and the UK.

Advertisements

It’s been believed that threat actor represents a group of individuals who are very skilled in network penetration but are relatively new to the extortion/ransomware business.

BianLian uses a custom toolkit, including homemade encryptors and encryption backdoors. Both, as well as the C&C software the hackers use, are written in Go, an increasingly popular programming language among ransomware threat actors.

To gain initial access into victim networks, BianLian typically targets the ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), SonicWall VPN devices, or servers that provide remote network access via solutions such as Remote Desktop,

After exploitation, they deployed either a webshell or a lightweight remote access solution such as ngrok as the follow-on payload. Once intruding in to the network, BianLian can take up to six weeks to start the encryption process.

BianLian appeared to take steps to minimize observable events, using living off the land (LOL) methodology to move laterally. Prior to encryption, the actor taking care to avoid detection, and counter EDR.

Advertisements

Indicators of Compromise

Backdoors

  • 001f33dd5ec923afa836bb9e8049958decc152eeb6f6012b1cb635cff03be2a2
  • 1a1177363be7319e7fb50ac84f69acb633fd51c58f7d2d73a1d5efb5c376f256
  • 20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352
  • 36281d02e28dd26a1db37ebe36941fc9eb1748868e96b544f227b3b59de51fea
  • 3bdcc81931687abac9e6ba4c80d4d596cebb470c80f56213aa29d3da43925537
  • 50c86fb27bed1962903a5f9d155544e3fdb859ae19e967a10f0bf3a60bb8954f
  • 5d429e05cede806ecea2e99116cac09558fcc0011095201e66c2e65c42f80fcf
  • 64065c29b369881ee36314c0d15e442510027186fd9087aec0f63e22a5c6f24c
  • 6d7009df2fa033f7adc30793ebd5254ef47a803950e31f5c52fa3ead1197599f
  • 8084eddfdb157edf8b1c0cdf8bf4d4e4aaa332fc871c2892aa4113b5148ac63e
  • 8592862cd28bcc23cfbcf57c82569c0b74a70cd7ea70dbdee7421f3fafc7ecaf
  • 86a9b84c6258c99b3c3c5b94a2087bc76a533f6043829ded5d8559e88b97fb2f
  • 9b7a0117a27dc418fbf851afcd96c25c7ad995d7be7f3d8d888fa26a6e530221
  • bb2e9fd9d60f49f0fc2c46f8254e5617d4ec856f40256554087cda727a5f6019
  • c0fe7bfb0d1ffeb61fb9cafeeab79ffd1660ff3637798e315ff15d802a3c974e
  • c7fe3fc6ffdfc31bc360afe7d5d6887c622e75cc91bc97523c8115b0e0158ad6
  • cd17afd9115b2d83e948a1bcabf508f42d0fe7edb56cc62f5cc467c938e45033
  • d602562ba7273695df9248a8590b510ccd49fefb97f5c75d485895abba13418d
  • da7a959ae7ea237bb6cd913119a35baa43a68e375f892857f6d77eaa62aabbaf
  • dda89e9e6c70ff814c65e1748a27b42517690acb12c65c3bbd60ae3ab41e7aca
  • de31a4125eb74d0b7cbf2451b40fdb2d66d279a8b8fd42191660b196a9ac468f
  • f7a3a8734c004682201b8873691d684985329be3fcdba965f268103a086ebaad

Encryptors

  • 1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43
  • b60be0b5c6e553e483a9ef9040a9314dd54335de7050fed691a07f299ccb8bc6
  • cbab4614a2cdd65eb619a4dd0b5e726f0a94483212945f110694098194f77095
  • eaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2

Active IPs

  • 104.225.129[.]86
  • 104.238.223[.]10
  • 104.238.223[.]3
  • 109.248.6[.]207
  • 13.49.57[.]110
  • 144.208.127[.]119
  • 146.0.79[.]9
  • 157.245.80[.]66
  • 16.162.137[.]220
  • 165.22.87[.]199
  • 172.93.96[.]61
  • 172.93.96[.]62
  • 18.130.242[.]71
  • 185.108.129[.]242
  • 185.225.69[.]173
  • 185.56.80[.]28
  • 185.62.58[.]151
  • 185.69.53[.]38
  • 192.145.38[.]242
  • 192.161.48[.]43
  • 192.169.6[.]232
  • 37.235.54[.]81
  • 45.9.150[.]132
  • 5.2.79[.]138
  • 51.68.190[.]20
  • 54.173.59[.]51
  • 62.84.112[.]68
  • 64.52.80[.]120
  • 66.135.0[.]42
  • 83.136.180[.]12
  • 85.13.117[.]213
  • 85.13.117[.]218
  • 91.199.209[.]20
  • 95.179.137[.]20

Historical IPs

  • 104.207.155[.]133
  • 104.238.61[.]153
  • 146.70.44[.]248
  • 155.94.160[.]241
  • 167.88.15[.]98
  • 172.96.137[.]107
  • 188.166.81[.]141
  • 194.26.29[.]131
  • 194.5.212[.]205
  • 194.58.119.159
  • 198.252.108[.]34
  • 202.66.72[.]7
  • 208.123.119[.]145
  • 209.141.54[.]205
  • 23.227.198[.]243
  • 23.94.56[.]154
  • 43.155.116[.]250
  • 45.144.30[.]139
  • 45.92.156[.]105
  • 5.188.6[.]118
  • 5.230.67[.]2
  • 85.13.116[.]194
  • 85.13.117[.]219
  • 89.22.224[.]3
%d bloggers like this: