unit42.paloaltonetworks.com
Open in
urlscan Pro
92.123.151.6
Public Scan
Submitted URL: https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/#post-132125-_u6j4jrmuhgk8
Effective URL: https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/
Submission: On November 04 via api from IN — Scanned from DE
Effective URL: https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/
Submission: On November 04 via api from IN — Scanned from DE
Form analysis 1 forms found in the DOM
Name: Unit42_Subscribe — POST https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json
<form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate="" class="subscribe-form" name="Unit42_Subscribe" id="unit42footerSubscription_form">
<input type="hidden" name="emailFormMask" value="">
<input type="hidden" value="1086" name="formid">
<input type="hidden" value="531-OCS-018" name="munchkinId">
<input type="hidden" value="2141" name="lpId">
<input type="hidden" value="1203" name="programId">
<input type="hidden" value="1086" name="formVid">
<input type="hidden" name="mkto_optinunit42" value="true">
<input type="hidden" name="mkto_opt-in" value="true">
<div class="form-group">
<label for="newsletter-email" id="newsletter-email-label">Your Email</label>
<input type="emal" placeholder="Your Email" name="Email" class="subscribe-field" id="newsletter-email" aria-labelledby="newsletter-email-label">
<p class="error-mail mb-15 text-danger" style="color: #dc3545"></p>
<p>Subscribe for email updates to all Unit 42 threat research.<br>By submitting this form, you agree to our
<a title="Terms of Use" href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" data-page-track="true" data-page-track-value="Get updates from Unit 42:Terms of Use">Terms of Use</a> and acknowledge our
<a title="Privacy Statement" href="https://www.paloaltonetworks.com/legal-notices/privacy" data-page-track="true" data-page-track-value="Get updates from Unit 42:Privacy Statement">Privacy Statement.</a></p>
<div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o"></div>
<p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Invalid captcha!</p>
<button class="l-btn is-disabled" data-page-track="true" data-page-track-value="footer:Get updates from Unit 42:Subscribe" id="unit42footerSubscription_form_button"> Subscribe <img class="lozad"
data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow">
<img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-loader.svg" alt="loader" class="loader">
</button>
<div class="form-success-message"></div>
</div>
</form>Text Content
Menu
* Tools
* ATOMs
* Security Consulting
* About Us
* Under Attack?
*
* About Unit 42
* Services
Services
Assess and Test Your Security Controls
* AI Security Assessment
* Attack Surface Assessment
* Breach Readiness Review
* BEC Readiness Assessment
* Cloud Security Assessment
* Compromise Assessment
* Cyber Risk Assessment
* M&A Cyber Due Diligence
* Penetration Testing
* Purple Team Exercises
* Ransomware Readiness Assessment
* SOC Assessment
* Supply Chain Risk Assessment
* Tabletop Exercises
* Unit 42 Retainer
Transform Your Security Strategy
* IR Plan Development and Review
* Security Program Design
* Virtual CISO
* Zero Trust Advisory
Respond in Record Time
* Cloud Incident Response
* Digital Forensics
* Incident Response
* Managed Detection and Response
* Managed Threat Hunting
* Unit 42 Retainer
UNIT 42 RETAINER
Custom-built to fit your organization's needs, you can choose to allocate
your retainer hours to any of our offerings, including proactive cyber risk
management services. Learn how you can put the world-class Unit 42 Incident
Response team on speed dial.
Learn more
* Unit 42 Threat Research
Unit 42 Threat Research
Unit 42 Threat Research
* Threat Briefs and Assessments
Details on the latest cyber threats
* Tools
Lists of public tools released by our team
* Threat Reports
Downloadable, in-depth research reports
THREAT REPORT
2024 Unit 42 Incident Response Report
Read now
THREAT BRIEF
Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats
Including DDoS, HermeticWiper, Gamaredon, Website Defacement
Learn more
THREAT REPORT
Highlights from the Unit 42 Cloud Threat Report, Volume 6
Learn more
* Partners
Partners
Partners
* Threat Intelligence Sharing
* Law Firms and Insurance Providers
THREAT REPORT
2022 Unit 42 Ransomware Threat Report: Understand trends and tactics to
bolster defenses
Learn more
THREAT BRIEF
Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats
Including DDoS, HermeticWiper, Gamaredon, Website Defacement
Learn more
THREAT BRIEF
Operation Falcon II: Unit 42 Helps Interpol Identify Nigerian Business Email
Compromise Ring Members
Learn more
* Resources
Resources
Resources
* Research Reports
* Webinars
* Customer Stories
* Datasheets
* Videos
* Infographics
* Whitepapers
* Cyberpedia
Industries
* Financial Services
* Healthcare
* Manufacturing
ANALYST REPORT
Unit 42® has been named a Leader in “The Forrester Wave™: Cybersecurity
Incident Response Services, Q2 2024.” Read the Forrester report to learn why.
Get the report
THREAT REPORT
Unit 42 Threat Frontier Report: Discover the latest insights on how threat
actors are leveraging GenAI to exploit vulnerabilities — and learn what steps
you can take to protect yourself.
Get the report
*
* Under Attack?
Search
All
* Tech Docs
Close search modal
* Threat Research Center
* High Profile Threats
* Ransomware
Ransomware
THREAT ASSESSMENT: BIANLIAN
10 min read
Related Products
Advanced URL FilteringAdvanced WildFireCloud-Delivered Security ServicesCortex
XDRNext-Generation Firewall
* By:
* Daniel Frank
* Published:January 23, 2024
* Categories:
* Cybercrime
* High Profile Threats
* Ransomware
* Tags:
* BianLian
* Bitter Scorpius
* Makop
*
*
Share
*
*
*
*
*
*
*
This post is also available in: 日本語 (Japanese)
EXECUTIVE SUMMARY
Unit 42 researchers have been tracking the BianLian ransomware group, which has
been in the top 10 of the most active groups based on leak site data we’ve
gathered. From that leak site data, we’ve primarily observed activity affecting
the healthcare and manufacturing sectors and industries, and impacting
organizations mainly in the United States (US) and Europe (EU).
We also observed that the BianLian group shares a small, customized tool in
common with the Makop ransomware group. This shared tool indicates a possible
connection between the two groups, which we will explore further.
BianLian has also recently moved from a double extortion scheme to one of
extortion without encryption. Rather than encrypting their victims’ assets
before stealing data and threatening to publish it if they do not pay the
ransom, they’re now moving straight to stealing data to motivate victims to pay.
The Unit 42 Incident Response team has responded to several BianLian ransomware
incidents since September 2022.
Palo Alto Networks customers are better protected against ransomware used by the
BianLian ransomware group through Cortex XDR, as well as by Cloud-Delivered
Security Services for the Next-Generation Firewall such as WildFire and Advanced
URL Filtering.
In particular, the Cortex XDR anti-ransomware module included out-of-the-box
protections that prevented adverse behavior from the ransomware samples we
tested without the need for specific detection logic or signatures.
The Prisma Cloud Defender should be deployed on cloud-based Windows virtual
machines to ensure they are protected. Cortex Xpanse is able to provide
visibility that can prove valuable for proactive protection.
The Unit 42 Incident Response team can also be engaged to help with a compromise
or to provide a proactive assessment to lower your risk.
Related Unit 42 Topics Ransomware, Cybercrime
BIANLIAN THREAT OVERVIEW
The BianLian group has been extremely active ever since it emerged in 2022, with
new organizations compromised by the group being reported on their leak site
almost on a weekly basis. Figure 1 below details their activity throughout 2023,
as illustrated by their leak site data.
Figure 1. Activity of the BianLian group throughout 2023.
This group impacts mainly the healthcare, manufacturing, professional and legal
services sectors. Their attacks have primarily taken place in North America, but
they were also seen in the EU and India.
BianLian shares a small custom .NET tool with the Makop ransomware group, which
indicates a possible connection between the two groups.
BianLian has moved from a double extortion scheme of encrypting their victims’
assets, stealing data, and threatening to publish it if they do not pay the
ransom to a main focus of extortion without encryption.
The group’s leak site indicates that BianLian might be expanding by hiring new
developers and affiliates, as noted in the “Work with us” section from the
group's homepage shown below in Figure 2.
Figure 2. The BianLian leak site homepage, late December 2023.
The BianLian group regularly updates the list of compromised targets on their
leak site. Figure 3 details the most affected countries. While BianLian has
impacted organizations all over the world, the US is clearly the most affected
country as of 2023.
Figure 3. A map showing the countries impacted by BianLian in 2023.
As detailed in Figure 4 below, healthcare is the sector most affected by the
BianLian group, with manufacturing a close second. In January 2023, the group
claimed to have exfiltrated 1.7 TB of data, including personal data of patients
and employees, from a California-based hospital. Attacks on healthcare
organizations are especially concerning because they disrupt hospitals’
day-to-day operations and potentially endanger patients' lives.
Figure 4. The distribution of the sectors that BianLian attacked in 2023.
POSSIBLE CONNECTION TO MAKOP RANSOMWARE
During our analysis, we noticed a small .NET custom executable was shared
between the BianLian and Makop ransomware groups. Both groups also used the same
hash of the publicly available Advanced Port Scanner tool.
This .NET tool is responsible for retrieving file enumeration, registry and
clipboard data. This tool contains some words in the Russian language, such as
the numbers one to four. The use of such a tool indicates that the two groups
might have shared a tool set or used the services of the same developers in the
past.
A possible – yet not confirmed – explanation for this overlap is that BianLian
could be sharing a codebase with the Makop group, or using the services of the
same third-party developers. This phenomenon is well-known and documented among
certain underground cybercrime groups.
Another noteworthy fact is that the Makop ransomware was documented excluding
certain file extensions when encrypting an infected endpoint, including known
extensions that are used by other ransomware strains. This is yet another
indicator of possible existing relationships among these threat actors, or at
least a “not stepping on someone’s toes” approach when it involves other
ransomware groups.
TECHNICAL ANALYSIS
ATTACK LIFECYCLE
We have mapped the attack stages that are common with the BianLian group to the
MITRE ATT&CK framework, which is summarized below.
INITIAL ACCESS
To infiltrate corporate networks, BianLian operators often perform the following
activities:
* Use stolen Remote Desktop Protocol (RDP) credentials
* Exploit the ProxyShell vulnerability
* Target virtual private network (VPN) providers
* Use other previously reported techniques such as deploying web shells
During the last year, BianLian’s methods of infiltration and lateral movement
did not change much. Nevertheless, we were able to retrieve interesting forensic
data from our telemetry that provides additional behavioral indicators of
compromise (IoCs).
After successfully infiltrating an organization’s network, our telemetry
indicates the BianLian group uses various public tools to move laterally, dump
credentials and remotely execute a backdoor payload.
CREDENTIAL DUMPING
In our telemetry, we have witnessed dumping of the Security Accounts Manager
(SAM) registry hive into a file at %windir%\Temp. This is a common technique
used by attackers.
The SAM stores hashed passwords from accounts used on the attacked machine, and
it can be recovered when processing SYSTEM privileges. The corresponding Cortex
XDR alert is shown in Figure 5.
Figure 5. SAM dumping alert in Cortex XDR.
PERSISTENCE
During the analysis of our telemetry, we saw the attackers drop the BianLian
backdoor DLL component under the following path:
* c:\\programdata\\vmware\\[filename].dll.
To execute the backdoor, they used the impacket tool to create the following
scheduled task:
cmd.exe /C rundll32.exe c:\\programdata\\vmware\\[filename].dll,Entry >
C:\\Windows\\Temp\\[filename].tmp 2>&1.
1
2
3
cmd.exe /C rundll32.exe
c:\\programdata\\vmware\\[filename].dll,Entry >
C:\\Windows\\Temp\\[filename].tmp 2>&1.
The creation of the task was detected by Cortex XDR, and the corresponding alert
is shown in Figure 6 below.
Figure 6. The impacket task creation alert in Cortex XDR.
This task’s role is to periodically execute the backdoor DLL with its export
function named Entry, using rundll32. The execution of the backdoor DLL was
detected and prevented by Cortex XDR. The alert and prevention pop-up are shown
in Figures 7 and 8, respectively.
Figure 7. The backdoor execution detection by Cortex XDR in detect mode.
Figure 8. The backdoor execution prevention by Cortex XDR in prevent mode.
The backdoors themselves have different names and paths in each incident, thus
making it difficult to implement naming-based behavioral detection.
RECONNAISSANCE
To get a better picture of an already infected network’s open ports that
attackers can later use for lateral movement, the tool Advanced Port Scanner by
Famatech was used from the following path:
* C:\\Users\\%username%\\AppData\\Local\\Temp\\31\\Advanced_Port_Scanner_2.5.3869.exe
This is the same Advanced Port Scanner file that Makop ransomware was previously
documented using. The alerts raised by its execution are shown in Figure 9.
Figure 9. Alerts raised by the execution of Advanced Port Scanner.
ENCRYPTOR AND BACKDOOR
Since the beginning of their activity, BianLian used two main components for
their final payloads: an encryptor and a backdoor. Figure 10 below shows the
encryptor’s ransom note.
Figure 10. Example of a ransom note generated by a BianLian encryptor first seen
in April 2023.
In early 2023, Avast released a
decryptor for BianLian's encryptor
, which ultimately caused the group to cease most of its encryption activity.
The threat actors then shifted their operation into a steal-and-extort scheme,
mainly relying on their custom backdoor.
BianLian's backdoor, similar to the encryptor, is written in Go. Its core
functionality is more of a loader than a classic backdoor, with its main
functionality being downloading and executing additional payloads. The backdoor
contains a hard-coded C2 IP address and port to communicate with.
As shown in Figures 11 and 12, Cortex XDR successfully detected the execution of
the encryptor, using its anti-ransomware module and other behavioral and static
detection signatures.
Figure 11. BianLian encryptor detection by Cortex XDR in detect mode.
Figure 12. Alerts raised by Cortex XDR detecting the BianLian encryptor in
detect mode.
As shown in Figure 13, when operating in prevent mode, the BianLian encryptor is
prevented by Cortex XDR.
Figure 13. The BianLian encryptor is prevented by Cortex XDR in prevent mode.
Figures 14 and 15 below demonstrate how Cortex XDR also detected the BianLian
custom backdoor in detect mode and prevented it in prevent mode.
Figure 14. Cortex XDR detecting the BianLian backdoor in detect mode.
Figure 15. The BianLian backdoor is prevented by Cortex XDR in prevent mode.
CONCLUSION
Following its discovery in 2022, the BianLian group has been one of the most
active and prevalent extortion groups in the cyberthreat landscape. Out of the
leak site data tracked by Unit 42 between January and mid-December of 2023,
BianLian was in the top 10 of the most active groups. There is a growing list of
alleged victims that they update on their leak site.
Maintaining their tactics, techniques and procedures (TTPs) of infiltrating
corporate networks, the BianLian group has shown adaptiveness to the ransomware
market demands. They have shifted from double-extortion into being focused
solely on extortion efforts, pressuring their victims into paying the ransom
without encrypting their files. A possible connection to the Makop ransomware
group was also found, due to their mutual use of a custom tool.
PROTECTIONS AND MITIGATIONS
SmartScore, a unique ML-driven scoring engine that translates security
investigation methods and their associated data into a hybrid scoring system,
scored an incident involving BianLian backdoor at 91 out of 100, as shown in
Figure 16. This type of scoring helps analysts determine which incidents are
more urgent and provides context about the reason for the assessment, assisting
with prioritization.
Figure 16. SmartScore information about a BianLian backdoor incident.
Palo Alto Networks customers are better protected from the BianLian encryptor
and backdoor components.
The Cortex XDR and XSIAM platforms detect and prevent the execution flow
described in the screenshots included in the previous section.
The Cortex XDR agent included out of the box protections that prevented adverse
behavior from the samples we tested from this group, without the need for
specific detection logic or signatures.
Cortex XDR and XSIAM detect user- and credential-based threats by analyzing user
activity from multiple data sources including the following:
* Endpoints
* Network firewalls
* Active Directory
* Identity and access management solutions
* Cloud workloads
Cortex XDR and XSIAM build behavioral profiles of user activity over time with
machine learning. By comparing new activity to past activity, peer activity and
the expected behavior of the entity, Cortex XDR and XSIAM detect anomalous
activity indicative of credential-based attacks.
They also offer the following protections related to the attacks discussed in
this post:
* Prevent the execution of known malicious malware
* Prevent execution of unknown malware using Behavioral Threat Protection and
machine learning based on the Local Analysis module
* Protect against credential-gathering tools and techniques using the
Credential Gathering Protection, available from Cortex XDR 3.4
* Protect against exploitation of different vulnerabilities including
ProxyShell using the Anti-Exploitation modules as well as Behavioral Threat
Protection
Cortex XDR Pro detects post-exploitation activity, including credential-based
attacks, with behavioral analytics.
The Prisma Cloud Defender as well as Cortex XDR for cloud agents should be
deployed on cloud-based Windows virtual machines to ensure they are protected
from these known malicious binaries. WildFire signatures can be used by both
Palo Alto Networks cloud services to ensure cloud-based Windows virtual machine
runtime operations are being analyzed and those resources are protected.
Cloud-Delivered Security Services for the Next-Generation Firewall such as
WildFire and Advanced URL Filtering include protections based on the IoCs shared
in this article.
Cortex Xpanse is also able to detect exposed RDP and many other remote access
interfaces which are often brute forced or exploited with compromised
credentials. This visibility can prove valuable through proactive prevention.
Figure 17. A subset of the exposed remote access interface types that Cortex
Xpanse can detect.
If you think you might have been impacted or have an urgent matter, get in touch
with the Unit 42 Incident Response team or call:
* North America Toll-Free: 866.486.4842 (866.4.UNIT42)
* EMEA: +31.20.299.3130
* APAC: +65.6983.8730
* Japan: +81.50.1790.0200
Palo Alto Networks has shared these findings with our fellow Cyber Threat
Alliance (CTA) members. CTA members use this intelligence to rapidly deploy
protections to their customers and to systematically disrupt malicious cyber
actors. Learn more about the Cyber Threat Alliance.
INDICATORS OF COMPROMISE
EXAMPLES OF THE BIANLIAN ENCRYPTOR
* af46356eb70f0fbb0799f8a8d5c0f7513d2f6ade4f16d4869f2690029b511d4f
* 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e
* 3a2f6e614ff030804aa18cb03fcc3bc357f6226786efb4a734cbe2a3a1984b6f
* 46d340eaf6b78207e24b6011422f1a5b4a566e493d72365c6a1cace11c36b28b
* 1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43
* eaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2
EXAMPLES OF THE BIANLIAN BACKDOOR
* c775e6d87a3bcc5e94cd055fee859bdb6350af033114fe8588d2d4d4f6d2a3ae
* c57ca631b069745027d0b4f4d717821ca9bd095e28de2eafe4723eeaf4b062cf
* c592194cea0acf3d3e181d2ba3108f0f86d74bcd8e49457981423f5f902d054b
* df51b7b031ecc7c7fa899e17cce98b005576a20a199be670569d5e408d21048c
* 2ed448721f4e92c7970972f029290ee6269689c840a922982ac2f39c9a6a838f
* 264af7e7aa17422eb4299df640c1aa199b4778509697b6b296efa5ae7e957b40
* 73d095abf2f31358c8b1fb0d5a0dc9807e88d44282c896b5033c1b270d44111f
* 8b65c9437445e9bcb8164d8557ecb9e3585c8bebf37099a3ec1437884efbdd24
* 4ca84be5b6ab91694a0f81350cefe8379efcad692872a383671ce4209295edc7
* 93fb7f0c2cf10fb5885e03c737ee8508816c1102e9e3d358160b78e91fa1ebdb
* afb7f11da27439a2e223e6b651f96eb16a7e35b34918e501886d25439015bf78
* 53095e2ad802072e97dbb8a7ccea03a36d1536fce921c80a7a2f160c83366999
* 16cbfd155fb44c6fd0f9375376f62a90ac09f8b7689c1afb5b9b4d3e76e28bdf
* 60b1394f3afee27701e2008f46d766ef466caa7711c45ddfd443a71efc39a407
* ba3c4bc99b67038b42b75a206d7ef04f6d8abaf87a76c373d4dec85e73859ce2
* e7e097723d00f58eab785baf30365c1495e99aa6ead6fe1b86109558838d294e
* 96e02ea8b1c508f1ee3c1535547f9b89396f557011e61478644ae5876cdaaca5
* ac1d42360c45e0e908d07e784ceb15faf8987e4ba1744d56313de6524d2687f7
* 1cba58f73221b5bb7930bfeab0106ae5415e70f49a595727022dcf6fda1126e9
* 487f0d748a13570a46b20b6687eb7b7fc70a1a55e676fb5ff2599096a1ca888c
* f84edc07b23423f2c2cad47c0600133cab3cf2bd6072ad45649d6faf3b70ec30
* 93953eef3fe8405d563560dc332135bfe5874ddeb373d714862f72ee62bef518
* f3f3c692f728b9c8fd2e1c090b60223ac6c6e88bf186c98ed9842408b78b9f3c
* f6669de3baa1bca649afa55a14e30279026e59a033522877b70b74bfc000e276
* 228ef7e0a080de70652e3e0d1eab44f92f6280494c6ba98455111053701d3759
* 0e4246409cdad59e57c159c7cc4d75319edf7d197bc010174c76fe1257c3a68e
* 90f50d723bf38a267f5196e22ba22584a1c84d719b501237f43d10117d972843
* 4c008ac5c07d1573a98eb87bffe64e9c9e946de63b40df3f686881cf0698eef7
* d3574cc69a5974a32a041d1dc460861fe1cef3c1f063171c5fc890ca0e8403c4
* 99fc3e13f3b4d8debf1f2328f56f3810480ee2eed9271ebf413c0015c0a54c23
* 4f4a2adc7ecc41f12defe864c78ad6bbf708355affac4115dcd5065b38198109
* 188e95d6ed0810c216ab0043ecc2f54f514e624ca31ed1eec58cfc18cc9ac75e
* 16b0f643670d1f94663179815bfac493f5f30a61d15c18c8b305b1016eece7ef
* c5fa6a7a3b48a2a4bbcbbbb1ca50c730f3545e3fbb03fa17fb814ad7a400a21f
* d3fc56b98af9748f7b6dd44e389d343781ff47db9ed3d92ae8fadc837f25f6ed
* 23295c518f194dee7815728de15bafe07bf53b52d987c7ad2b2050f833f770f7
* 06f10c935fae531e070c55bde15ee3b48b6bb289af237e96eec82124c19d1049
* 7ba40902dc495d8da28d0c0788bcfb1449818342df89f005af8ce09f2ee01798
* 3106e313f6df73b84acd8d848b467ac42c469ffabbad19e4fdcc963639cfff8c
* 56e63edb832fdf08d19ecfe2de1c7c6c6581cedd431215ded0c8e44ac9aed925
* 195c11ee41f5a80d8e1b1881245545d6529671b926eb67bd3186e3ffecefe362
* ac14946fd31ca586368c774f3a3eed1620bf0f0b4f54544f5d25e87facf18d82
* 29a14cb63a1900fe185fad1c1b2f2efb85a058ac3c185948b758f3ce4107e11e
* 91ffe0ee445b82bd3360156feeecf8112d27c9333f9796caffcfda986fd7e9b4
* 5162fd73cbe8f313d2b0e4180bab4cbe47185f73a3ffc3d1dcccc36bc2865142
* 7dabe5d40c13c7c342b7182eaf7c63fbb5e326300316f6f6518b527d57e79ac8
* 4e92b73a17e0646876fb9be09c4ee6f015f00273932d2422b69339e22b78b385
* 9413ba4a33ea77326b837ba538f92348e1909d5263ca67a86aa327daa8fbba30
* bd41ac2686beadc1cb008433960317b648caae37c93d8c0d61ad40fe27b5b67e
* bd57af28c94c3b7f156511c48f4b62cd1b4c29a1a693f4dc831e0a928691cc56
ADVANCED PORT SCANNER
* d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb
.NET TOOL
* 40126ae71b857dd22db39611c25d3d5dd0e60316b72830e930fba9baf23973ce
BIANLIAN COMMAND AND CONTROL SERVERS
* 208.123.119[.]123
* 13.215.228[.]73
* 54.193.91[.]232
* 172.96.137[.]159
* 204.152.203[.]90
* 144.208.127[.]119
* 192.161.48[.]43
* 146.70.87[.]197
* 45.86.230[.]64
* 45.56.165[.]17
* 23.163.0[.]168
* 172.96.137[.]249
* 173.254.204[.]78
* 185.56.137[.]117
* 52.87.206[.]242
* 45.66.249[.]118
* 96.44.157[.]203
* 103.20.235[.]122
* 44.212.9[.]14
* 149.154.158[.]154
* 146.59.102[.]74
* 96.44.135[.]76
* 85.239.52[.]96
* 66.85.156[.]83
* 198.252.98[.]186
* 3.236.161[.]7
* 13.59.168[.]154
* 172.245.128[.]35
* 216.146.25[.]60
* 172.86.122[.]183
* 185.99.133[.]112
* 149.154.158[.]214
* 104.200.72[.]6
* 23.163.0[.]228
ADDITIONAL RESOURCES
* BianLian ransomware gang holds Save the Children hostage – Computer Weekly,
by TechTarget
* #StopRansomware: BianLian Ransomware Group – U.S. Cybersecurity and
Infrastructure Security Agency (CISA)
* BianLian Ransomware Gang Gives It a Go! – Redacted
* BianLian Ransomware Gang Continues to Evolve – Redacted
* Makop: The Toolkit of a Criminal Gang – L M, Medium
* Makop Ransomware Whitepaper – LIFARS by SecurityScorecard
* BianLian Ransomware Lists St Rose Hospital as Victim – The Cyber Express
* Decrypted: BianLian Ransomware – Avast Threat Labs
* OS Credential Dumping: Security Account Manager, Sub-technique T1003.002 -
Enterprise – MITRE ATT&CK
Back to top
TAGS
* BianLian
* Bitter Scorpius
* Makop
Threat Research Center Next: Parrot TDS: A Persistent and Evolving Malware
Campaign
TABLE OF CONTENTS
*
* Executive Summary
* BianLian Threat Overview
* Possible Connection to Makop Ransomware
* Technical Analysis
* Attack Lifecycle
* Initial Access
* Credential Dumping
* Persistence
* Reconnaissance
* Encryptor and Backdoor
* Conclusion
* Protections and Mitigations
* Indicators of Compromise
* Examples of the BianLian Encryptor
* Examples of the BianLian Backdoor
* Advanced Port Scanner
* .NET Tool
* BianLian Command and Control Servers
* Additional Resources
RELATED ARTICLES
* Beware of BadPack: One Weird Trick Being Used Against Android Devices
* Threat Actor Groups Tracked by Palo Alto Networks Unit 42
RELATED RESOURCES
Threat Research July 10, 2024
DARKGATE: DANCING THE SAMBA WITH ALLURING EXCEL FILES
* Sandbox
* Microsoft Excel
* Malware-as-a-service
Read now
Threat Actor Groups June 27, 2024
THREAT ACTOR GROUPS TRACKED BY PALO ALTO NETWORKS UNIT 42
* Academic Serpens
* Agent Serpens
* Agonizing Serpens
Read now
Threat Research May 16, 2024
PAYLOAD TRENDS IN MALICIOUS ONENOTE SAMPLES
* Malvertising
* Microsoft OneNote
* Phishing
Read now
Threat Actor Groups October 30, 2024
JUMPY PISCES ENGAGES IN PLAY RANSOMWARE
* North Korea
* Jumpy Pisces
* Fiddling Scorpius
Read now
High Profile Threats October 10, 2024
LYNX RANSOMWARE: A REBRANDING OF INC RANSOMWARE
* Leak site
* Double extortion
Read now
High Profile Threats September 10, 2024
THREAT ASSESSMENT: REPELLENT SCORPIUS, DISTRIBUTORS OF CICADA3301 RANSOMWARE
* RaaS
* Data exfiltration
* Leak site
Read now
High Profile Threats September 9, 2024
THREAT ASSESSMENT: NORTH KOREAN THREAT GROUPS
* North Korea
* Remote Access Trojan
* Finance
Read now
Threat Actor Groups August 23, 2024
BLING LIBRA’S TACTICAL EVOLUTION: THE THREAT ACTOR GROUP BEHIND SHINYHUNTERS
RANSOMWARE
* MITRE
* Extortion
* Container
Read now
Trend Reports August 9, 2024
RANSOMWARE REVIEW: FIRST HALF OF 2024
* Healthcare
* LockBit
* RansomHub
Read now
Threat Research July 22, 2024
FROM RA GROUP TO RA WORLD: EVOLUTION OF A RANSOMWARE GROUP
* Extortion
* Leak site
* Babuk
Read now
Threat Research July 10, 2024
DARKGATE: DANCING THE SAMBA WITH ALLURING EXCEL FILES
* Sandbox
* Microsoft Excel
* Malware-as-a-service
Read now
Threat Actor Groups June 27, 2024
THREAT ACTOR GROUPS TRACKED BY PALO ALTO NETWORKS UNIT 42
* Academic Serpens
* Agent Serpens
* Agonizing Serpens
Read now
Threat Research May 16, 2024
PAYLOAD TRENDS IN MALICIOUS ONENOTE SAMPLES
* Malvertising
* Microsoft OneNote
* Phishing
Read now
Threat Actor Groups October 30, 2024
JUMPY PISCES ENGAGES IN PLAY RANSOMWARE
* North Korea
* Jumpy Pisces
* Fiddling Scorpius
Read now
High Profile Threats October 10, 2024
LYNX RANSOMWARE: A REBRANDING OF INC RANSOMWARE
* Leak site
* Double extortion
Read now
High Profile Threats September 10, 2024
THREAT ASSESSMENT: REPELLENT SCORPIUS, DISTRIBUTORS OF CICADA3301 RANSOMWARE
* RaaS
* Data exfiltration
* Leak site
Read now
High Profile Threats September 9, 2024
THREAT ASSESSMENT: NORTH KOREAN THREAT GROUPS
* North Korea
* Remote Access Trojan
* Finance
Read now
Threat Actor Groups August 23, 2024
BLING LIBRA’S TACTICAL EVOLUTION: THE THREAT ACTOR GROUP BEHIND SHINYHUNTERS
RANSOMWARE
* MITRE
* Extortion
* Container
Read now
Trend Reports August 9, 2024
RANSOMWARE REVIEW: FIRST HALF OF 2024
* Healthcare
* LockBit
* RansomHub
Read now
Threat Research July 22, 2024
FROM RA GROUP TO RA WORLD: EVOLUTION OF A RANSOMWARE GROUP
* Extortion
* Leak site
* Babuk
Read now
Threat Research July 10, 2024
DARKGATE: DANCING THE SAMBA WITH ALLURING EXCEL FILES
* Sandbox
* Microsoft Excel
* Malware-as-a-service
Read now
Threat Actor Groups June 27, 2024
THREAT ACTOR GROUPS TRACKED BY PALO ALTO NETWORKS UNIT 42
* Academic Serpens
* Agent Serpens
* Agonizing Serpens
Read now
Threat Research May 16, 2024
PAYLOAD TRENDS IN MALICIOUS ONENOTE SAMPLES
* Malvertising
* Microsoft OneNote
* Phishing
Read now
*
*
Get updates from Unit 42
PEACE OF MIND COMES FROM STAYING AHEAD OF THREATS. CONTACT US TODAY.
Your Email
Subscribe for email updates to all Unit 42 threat research.
By submitting this form, you agree to our Terms of Use and acknowledge our
Privacy Statement.
Invalid captcha!
Subscribe
PRODUCTS AND SERVICES
* Network Security Platform
* CLOUD DELIVERED SECURITY SERVICES
* Advanced Threat Prevention
* DNS Security
* Data Loss Prevention
* IoT Security
* Next-Generation Firewalls
* Hardware Firewalls
* Strata Cloud Manager
* SECURE ACCESS SERVICE EDGE
* Prisma Access
* Prisma SD-WAN
* Autonomous Digital Experience Management
* Cloud Access Security Broker
* Zero Trust Network Access
* Code to Cloud Platform
* Prisma Cloud
* Cloud-Native Application Protection Platform
* AI-Driven Security Operations Platform
* Cortex XDR
* Cortex XSOAR
* Cortex Xpanse
* Cortex XSIAM
* External Attack Surface Protection
* Security Automation
* Threat Prevention, Detection & Response
* Threat Intel and Incident Response Services
* Proactive Assessments
* Incident Response
* Transform Your Security Strategy
* Discover Threat Intelligence
COMPANY
* About Us
* Careers
* Contact Us
* Corporate Responsibility
* Customers
* Investor Relations
* Location
* Newsroom
POPULAR LINKS
* Blog
* Communities
* Content Library
* Cyberpedia
* Event Center
* Manage Email Preferences
* Products A-Z
* Product Certifications
* Report a Vulnerability
* Sitemap
* Tech Docs
* Unit 42
* Do Not Sell or Share My Personal Information
* Privacy
* Trust Center
* Terms of Use
* Documents
Copyright © 2024 Palo Alto Networks. All Rights Reserved
*
*
*
*
*
EN
* Select your language
* USA (ENGLISH)
* JAPAN (日本語)
Your browser does not support the video tag.
DEFAULT HEADING
Read the article
Seekbar
Volume
This site uses cookies essential to its operation, for analytics, and for
personalized content and ads. Please read our privacy statement for more
information.Privacy statement
Cookies Settings Reject All Accept All
Your Opt Out Preference Signal is Honored
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information on cookie consent
Allow All
MANAGE YOUR CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Reject All Confirm My Choices