Minutes make the difference to defenders in responding to a ransomware attack on a victims network. BianLian ransomware raises the cybercriminal bar by encrypting files with exceptional speed.
Threat actors built the new BianLian ransomware in the Go programming language (aka Golang). Despite the large size of files created in Go, threat actors are turning to this exotic programming language more often for a variety of reasons, particularly its robust support for concurrency. This is the ability for various malicious functions to run independently of each other, which speeds up the attack.
In addition to an overview of the BianLian ransomware, this post also highlights some of the unique aspects of Golang that makes it an increasingly popular choice for malware authors.
Risk & Impact
Bian Lian is an ancient dramatic art that originates in China. Artists move about the stage in brightly colored outfits and colored masks. The performers are so quick to change the masks that, with the swipe of a fan or the blink of an eye, their costumes face completely changes. We can now add a new meaning to the term Bian Lian, because a ransomware group took the name and made it their own.
Research from Cyble found that this threat group targets many different industry sectors. Their targets have historically included manufacturing, education, healthcare, professional services, energy, banking, financial services, and insurance (BFSI), and the entertainment industry.
As of September 20, 2022, the groups leak site includes 23 victims. BlackBerry researchers analyzed the list of victims and determined that this group targets corporations rather than specific countries. The listed victims have varied origins, including the United States, Australia, and the United Kingdom.
Why do these operators target English-speaking countries? Its likely the threat actor is financially motivated rather than politically or geographically orientated. And at this point, the group has not claimed any affiliation with any nation state or agenda.
BianLian ransomware shares its name with a malicious Android package (APK) application that was previously hosted on the Google Play store, but it has since been removed. This malicious application was also dubbed BianLian by ThreatFabric.
This identically named malware used a dropper from the Google Play store to install a malicious file from the infamous Anubis Banker Trojan. From there, the threat actor would use a messaging service to deliver command-and-control (C2) commands and steal user credentials. At the time of writing, no one has claimed any relation between these two malware families aside from the name theyve been given.
BianLian ransomware is written in Golang. As we discussed in a recent whitepaper, Golang is an open-source programming language designed by Google employees. The languages official first release was in March 2012, and it quickly became a mainstay language for large industry organizations such as Apple, Google, and IBM.
Golang comes with a large standard library, garbage collection cleanup, and concurrency support. Concurrency means that multiple computations can take place at the same time through a process called multithreading. To enable this, Go uses Goroutines", which allow for asynchronous execution of functions or methods independently from each other. This concurrency allows for quicker encryption of the target system.
Go can compile code for Windows, Linux, and OS X. This feature makes it possible for malware authors to create threats that impact all the major operating systems, if they choose to.
Go libraries are statically linked, which means all the necessary libraries are included in the compiled binary. In languages where this is not the case, developers will either include the libraries separately from the main executable, or they will have to hope that the target machine has the needed libraries already installed on their machine. Including these libraries makes for a larger file that is harder to distribute, but larger files might also be ignored by antivirus (AV) engines that are trying to optimize for speed.
The sample we will be analyzing in this post is named anabolic.exe (SHA256: 46d340eaf6b78207e24b6011422f1a5b4a566e493d72365c6a1cace11c36b28b). This file is a 64-bit executable compiled with Golang version 1.18.3.
When a Golang program is built, it generates a BuildID. A BuildID in Golang is a unique representation of the file and its contents. The BuildID is in the first 32 kb of the binary file, though the exact position can vary depending on the operating system its compiled for. The file in focus here is a portable executable (PE) file.
Looking closer, a BuildID is comprised of a hash of the filenames and the contents of the application, and it is segmented into two parts: actionID and ContentID. The actionID is a hash of the inputs that produced the packages or binary, and the contentID is the hash of the action output. This action output is the binary itself. The buildID of anabolic.exe is shown below in Figure 1.
Figure 1: Build ID from 46d340eaf6b78207e24b6011422f1a5b4a566e493d72365c6a1cace11c36b28b
The command used to compile the program is also stored in the binary. To compile a program with Go, you use the Go build command. This command compiles all the packages and dependencies necessary for the application.
For the sample were analyzing in this blog, this build path was given two arguments, shown below in Figure 2. The argument commands given are gcflags and trimpath. -Gcflags relates to flags passed to the compiler, and -trimpath removes all absolute file system paths from the executable. This is an attempt to remove user path directories.
Its useful to note the last part of the path here: crypt22. This can mark iterations of development from the actor, as this number has changed between samples in the wild.
Figure 2: Crypt project path
The author packaged all the ransomware's functionalities into a common package. A package is a collection of source files in the same directory that are compiled together. Static analysis of the strings in pestudio provides us with an idea of what the samples capabilities are.
From this information, we can see it will likely rename files, and it can also chunk files into smaller blocks for processing, query drive information, and check file extensions. Project pathing for this functionality is shown in Figure 3.
Figure 3. Common package functions
Upon execution of the file, the application searches the host machine for all possible drive names. To do this, the ransomware uses GetDriveTypeW from the kernell32 library. This functionality is accessed via the GetProcAddress API call, which retrieves the address of the function. The purpose of this action is to ensure that the ransomware can encrypt all connected or potential media. The call starts from A:\ and checks all the way to Z:\.
Debugger output demonstrating a snippet of this activity is shown in Figure 4.
Figure 4. GetDriveTypeW call with drives
Once all the drives are populated, the threat begins its ransom process. The ransomware encrypts files using the standard library crypto package in Go. These packages are open-source libraries used to provide cryptographic functionality, like the base CryptoAPI provided in Windows environments.
The ransomware drops a .TXT file into the directory where the file was run, named Look at this instruction.txt. The ransom note is shown in its entirety in Figure 5.
This text file contains information regarding how to contact the threat actor to restore your data. To contact the threat actors, victims can either download the peer-to-peer encrypted chat service application Tox messenger, or they can email the group directly.
The threat actor gives their victims 10 days before publicly releasing their stolen data on the operators .onion site. The note does not indicate how much money the threat actors want for payment.
Figure 5. BianLian ransom note
From here, this process is repeated in multiple threads to ensure a speedy encryption.
The ransomware targets any drive found on the system, including mounted drives, and encrypts anything that is not an executable, driver, or text file. These exclusions are meant to avoid encrypting either the ransom note, or anything that might cause the system to malfunction. The excluded files types are located within their directories by using FindFirstFileW and FindNextFileW. The lpFindFileData return value holds the information on the directory found, and FindNextFileW is used to step through the files returned with FindFirstFileW.
The files are cut into small chunks and the encryption is multithreaded to increase the speed of this operation. Figure 6 shows a snapshot of the read/write execution steps the ransomware takes to encrypt the files on the system. The output shows the read/write length of the buffer at 16 bytes, which is kept consistent throughout the execution of the file. After encryption, filenames are appended with a .bianlian extension and closed.
Figure 6. Ransomware read/write procmon
We did not observe any network interaction in this sample. This means the threat actor could have deployed the sample directly on the system with remote access.
As highlighted by cybersecurity services firm called [redacted], it is likely the BianLian threat groups initial access is gained via the ProxyShell vulnerability chain or a SonicWall VPN firmware vulnerability. From here, the threat actor moves laterally to find targets of interest, escalates their privileges, and deploys the BianLian ransomware. Then, using dropped copies of WinSCP and 7-Zip to archive and transfer chosen files, data is extracted and sent back to the threat actor. Additionally, threat operators might install backdoors on the systems to maintain access to the infected system.
BianLian is a relatively new threat actor that targets a wide range of industries. As they are likely financially motivated, they will continue their efforts to exploit systems and networks they gain access to. Their Golang-based ransomware utilizes goroutines and encrypts files in chunks to quickly ransom an infected system. The threat actor targets multiple industries in multiple countries. Their deployment method is manual infiltration of the system, and they use living-off-the-land (LotL) binaries to explore the networks and systems themselves. Once they find all the information they want, they deploy their ransomware.
To date, this ransomware group has targeted the following industries: professional services, manufacturing, healthcare, energy, media, banks, and education sectors. Their targets thus far reside in the United States, Australia, and the United Kingdom. There is no indication that they are necessarily limited to these industries or countries.
File Carving (D3-FC) Use the file carving technique to examine files sent over the network.
File Access Pattern Analysis (D3-FAPA) Identify the way an application accesses files; target could be the multiple read/writes on files that ransomware employs.
Remote Terminal Session Detection (D3-RTSD) Detect unauthored remote sessions through network traffic.
File Creation Analysis (D3-FCA) Ransomware creates ransom notes; this behavior can be detected.
The following YARA rule was authored by the BlackBerry Research & Intelligence Team to catch the threat described in this document:
46d340eaf6b78207e24b6011422f1a5b4a566e493d72365c6a1cace11c36b28b
117a057829cd9abb5fba20d3ab479fc92ed64c647fdc1b7cd4e0f44609d770ea
1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43
eaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2
cbab4614a2cdd65eb619a4dd0b5e726f0a94483212945f110694098194f77095
Redacted blog: https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ Cyble: https://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/ Go.dev documentation: https://go.dev/src/cmd/go/internal/work/buildid.go Go Routines: https://golangbot.com/goroutines/ Go.dev Crypto Documentation: https://pkg.go.dev/crypto Microsoft Documentation: https://learn.microsoft.com/en-us/ ThreatFabric: https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html
If youre battling this malware or a similar threat, youve come to the right place, regardless of your existing BlackBerry relationship.
The BlackBerry Incident Response teamis made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.
We have a global consulting team standing by to assist you, providing around-the-clock support where required, as well as local assistance. Please contact us here:https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment
Related Reading
The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.
Originally posted here:
BianLian Ransomware Encrypts Files in the Blink of an Eye - BlackBerry Blog
- Research, Evaluation and Learning at the International Rescue Committee - World - ReliefWeb [Last Updated On: August 10th, 2020] [Originally Added On: August 10th, 2020]
- Conserving Biodiversity with AI - BBN Times [Last Updated On: August 10th, 2020] [Originally Added On: August 10th, 2020]
- DevOps Fundamentals You Ever Wanted To Know - hackernoon.com [Last Updated On: August 10th, 2020] [Originally Added On: August 10th, 2020]
- Another Perspective on Evictions - Bacon's Rebellion [Last Updated On: August 10th, 2020] [Originally Added On: August 10th, 2020]
- Amitabh Bachchan on fans alternate job suggestion: My job is now insured - The Indian Express [Last Updated On: August 10th, 2020] [Originally Added On: August 10th, 2020]
- Will You Soon Download Packaging Machine Controls from the Internet? - Packaging Digest [Last Updated On: August 10th, 2020] [Originally Added On: August 10th, 2020]
- 5 free resources every data scientist should start using today - The Next Web [Last Updated On: August 10th, 2020] [Originally Added On: August 10th, 2020]
- Who's hoping to make an Epic impact on Green Bay area music scene with a new concert venue? | Streetwise - Green Bay Press Gazette [Last Updated On: August 10th, 2020] [Originally Added On: August 10th, 2020]
- Industrial robots are dominating but are they safe from cyber-attacks? - TechHQ [Last Updated On: August 10th, 2020] [Originally Added On: August 10th, 2020]
- Friday Rant - Rise of the Rogue-Bots? - Diginomica [Last Updated On: August 10th, 2020] [Originally Added On: August 10th, 2020]
- Important Reasons Why You Should Pick RoR As Your Web-Based Development Project - Customer Think [Last Updated On: August 10th, 2020] [Originally Added On: August 10th, 2020]
- Portrait of the software developer as an artist - ComputerWeekly.com [Last Updated On: August 10th, 2020] [Originally Added On: August 10th, 2020]
- Python may be your safest bet for a career in coding - Gadgets Now [Last Updated On: August 10th, 2020] [Originally Added On: August 10th, 2020]
- 1Password is coming to Linux - ZDNet [Last Updated On: August 10th, 2020] [Originally Added On: August 10th, 2020]
- IBM creates an open source tool to simplify API documentation - TechRepublic [Last Updated On: August 10th, 2020] [Originally Added On: August 10th, 2020]
- Mastercard : Accelerate Ignites Next Generation of Fintech Disruptors and Partners to Build the Future of Commerce - Marketscreener.com [Last Updated On: August 12th, 2020] [Originally Added On: August 12th, 2020]
- Expanding the Universe of Haptics | by Lofelt | Aug, 2020 - Medium [Last Updated On: August 12th, 2020] [Originally Added On: August 12th, 2020]
- UX Designer Salary: 5 Important Things to Know - Dice Insights [Last Updated On: August 12th, 2020] [Originally Added On: August 12th, 2020]
- Persistent memory reshaping advanced analytics to improve customer experiences - IT World Canada [Last Updated On: August 12th, 2020] [Originally Added On: August 12th, 2020]
- NextCorps and SecondMuse Open Application Period for Programs that Help Climate Technology Startups Accelerate Hardware Manufacturing - GlobeNewswire [Last Updated On: August 12th, 2020] [Originally Added On: August 12th, 2020]
- Buried deep in the ice is the GitHub code vault humanity's safeguard against devastation - ABC News [Last Updated On: August 12th, 2020] [Originally Added On: August 12th, 2020]
- Top 12 Most Used Tools By Developers In 2020 - Analytics India Magazine [Last Updated On: August 12th, 2020] [Originally Added On: August 12th, 2020]
- Facebook's React 17 JavaScript library: Here's why its top feature is 'no new features' - ZDNet [Last Updated On: August 12th, 2020] [Originally Added On: August 12th, 2020]
- CORRECTING and REPLACING Anyscale Hosts Inaugural Ray Summit on Scalable Python and Scalable Machine Learning - Business Wire [Last Updated On: August 12th, 2020] [Originally Added On: August 12th, 2020]
- Google: Here's how much we give to open source through our GitHub activity - ZDNet [Last Updated On: August 12th, 2020] [Originally Added On: August 12th, 2020]
- How Chriselle Lim And Joan Nguyen Created Bmo, The Coworking Space And Virtual Classroom Of The Future (With A Childcare Twist) - Forbes [Last Updated On: August 13th, 2020] [Originally Added On: August 13th, 2020]
- How Will Public Libraries Adapt To New School Year Norms? - Book Riot [Last Updated On: August 13th, 2020] [Originally Added On: August 13th, 2020]
- Google: We'll test hiding the full URL in Chrome 86 to combat phishing - ZDNet [Last Updated On: August 13th, 2020] [Originally Added On: August 13th, 2020]
- How to install Python 3 and PIP 3 on Ubuntu 20.04 LTS - Linux Shout - H2S Media [Last Updated On: August 13th, 2020] [Originally Added On: August 13th, 2020]
- What are Bitcoin Wallets: Everything You Need to Know - Programming Insider [Last Updated On: August 13th, 2020] [Originally Added On: August 13th, 2020]
- JSHint is Now Free Software after Updating License to MIT Expat - WP Tavern [Last Updated On: August 13th, 2020] [Originally Added On: August 13th, 2020]
- How to learn JavaScript: These are the best online courses - Mashable [Last Updated On: August 13th, 2020] [Originally Added On: August 13th, 2020]
- What developers need to know about inter-blockchain communication - ComputerWeekly.com [Last Updated On: August 14th, 2020] [Originally Added On: August 14th, 2020]
- Introducing the CDK construct library for the serverless LAMP stack - idk.dev [Last Updated On: August 14th, 2020] [Originally Added On: August 14th, 2020]
- IBM asked software developers to take on the wrath of Mother Nature - The Drum [Last Updated On: August 14th, 2020] [Originally Added On: August 14th, 2020]
- Aspire Technology Launches First Truly Secure Public Blockchain for Creation of Digital Assets - GlobeNewswire [Last Updated On: August 14th, 2020] [Originally Added On: August 14th, 2020]
- GM Creates And Shares New Workplace Safety Technologies - Pulse 2.0 [Last Updated On: August 14th, 2020] [Originally Added On: August 14th, 2020]
- Key Considerations and Tools for IP Protection of Computer Programs in Europe and Beyond - Lexology [Last Updated On: August 14th, 2020] [Originally Added On: August 14th, 2020]
- The state of application security: What the statistics tell us - CSO Online [Last Updated On: August 14th, 2020] [Originally Added On: August 14th, 2020]
- Open Source: What's the delay on the former high/middle school on North Mulberry? - knoxpages.com [Last Updated On: August 14th, 2020] [Originally Added On: August 14th, 2020]
- The Risks Associated with OSS and How to Mitigate Them - Security Boulevard [Last Updated On: August 14th, 2020] [Originally Added On: August 14th, 2020]
- news digest: Microsoft launches open source website, TensorFlow Recorder released, and Stackery brings serverless to the Jamstack - SD Times -... [Last Updated On: August 14th, 2020] [Originally Added On: August 14th, 2020]
- Build Your Own PaaS with Crossplane: Kubernetes, OAM, and Core Workflows - InfoQ.com [Last Updated On: August 17th, 2020] [Originally Added On: August 17th, 2020]
- ISRO Is Recruiting For Vacancies with Salary Upto Rs 54000: How to Apply - The Better India [Last Updated On: August 17th, 2020] [Originally Added On: August 17th, 2020]
- Does technology increase the problem of racism and discrimination? - TechTarget [Last Updated On: August 17th, 2020] [Originally Added On: August 17th, 2020]
- CORRECTING and REPLACING Anyscale Hosts Inaugural Ray Summit on Scalable Python and Scalable Machine Learning - Yahoo Finance [Last Updated On: August 17th, 2020] [Originally Added On: August 17th, 2020]
- In the City: Take advantage of open recreation, cultural and park amenities - Coloradoan [Last Updated On: August 17th, 2020] [Originally Added On: August 17th, 2020]
- Exploring the future of modern software development - ComputerWeekly.com [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- Hadoop Developer Interview Questions: What to Know to Land the Job - Dice Insights [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- SiFive Opens Business Unit to Build Chips With Arm and RISC-V Inside - Electronic Design [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- Use Pulumi and Azure DevOps to deploy infrastructure as code - TechTarget [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- Why ASP.NET Core Is Regarded As One Of The Best Frameworks For Building Highly Scalable And Modern Web Applications - WhaTech [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- NITK figures 4th in Google Summer of Code ranking - BusinessLine [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- Learn More About Dynamo for Revit: Features, Functions, and News - ArchDaily [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- Linux Foundation showcases the greater good of open source - ComputerWeekly.com [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- Programming language Kotlin 1.4 is out: This is how it's improved quality and performance - ZDNet [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- Top 10 Languages That Paid Highest Salaries Worldwide In 2020 - Analytics India Magazine [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- Programming language Rust: Mozilla job cuts have hit us badly but here's how we'll survive - ZDNet [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- In-App Bidding Gathers Steam, But Adoption Looks Nothing Like Header Bidding On The Web - AdExchanger [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- 13 thoughts on Fitting Snake Into A QR Code - Hackaday [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- Newham test and trace app was designed by man who grew up in the borough - Newham Recorder [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- 'Trapped in a code' the fight over our algorithmic future - Open Democracy [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- Telegram launches one-on-one video calls on iOS and Android - The Verge [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- AWS Controllers for Kubernetes Will Be A 'Boon For Developers' - CRN: Technology news for channel partners and solution providers [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- Coding within company constraints - ComputerWeekly.com [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- Open Source and Open Standards: The Recipe for Success Featured - The Fast Mode [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- How Intel helped give the worlds first cyborg a voice - The Next Web [Last Updated On: August 21st, 2020] [Originally Added On: August 21st, 2020]
- Tiger Woods, Rory McIlroy near bottom of field at The Northern Trust - ESPN [Last Updated On: August 22nd, 2020] [Originally Added On: August 22nd, 2020]
- Intel Owl OSINT tool automates the intel-gathering process using a single API - The Daily Swig [Last Updated On: August 22nd, 2020] [Originally Added On: August 22nd, 2020]
- IOTA Foundation presents the current projects in the mobility industry - Crypto News Flash [Last Updated On: August 22nd, 2020] [Originally Added On: August 22nd, 2020]
- How 'Fortnite' and 'Second Life' Shaped the Future of Indian Market - Santa Fe Reporter [Last Updated On: August 22nd, 2020] [Originally Added On: August 22nd, 2020]
- Apple Enters $ 2 Trillion Club, Github's Chinese Counterpart And More In This Week's Top News - Analytics India Magazine [Last Updated On: August 22nd, 2020] [Originally Added On: August 22nd, 2020]
- As world grapples with pandemic, schools are the epicenter - ABC News [Last Updated On: August 24th, 2020] [Originally Added On: August 24th, 2020]
- Why Businesses Should Embrace Modernizing Their Legacy Applications - TechBullion [Last Updated On: August 24th, 2020] [Originally Added On: August 24th, 2020]
- Is It Time To Rename RPG? - IT Jungle [Last Updated On: August 24th, 2020] [Originally Added On: August 24th, 2020]
- Phantasy Star Online programmers on breaking new ground and their Diablo-style isometric prototype - Polygon [Last Updated On: August 24th, 2020] [Originally Added On: August 24th, 2020]
- How To Learn To Program In Python By Playing Videogames - Analytics India Magazine [Last Updated On: August 24th, 2020] [Originally Added On: August 24th, 2020]
- New Microsoft program to help develop the quantum computing workforce of the future in India - Microsoft [Last Updated On: August 24th, 2020] [Originally Added On: August 24th, 2020]
- How the Docker Revolution Will Change Your Programming, Part 1 - Walter Bradley Center for Natural and Artificial Intelligence [Last Updated On: August 24th, 2020] [Originally Added On: August 24th, 2020]
- The art of developing happy customers - ComputerWeekly.com [Last Updated On: August 24th, 2020] [Originally Added On: August 24th, 2020]