![]() When a Golang program is built, it generates a BuildID. This file is a 64-bit executable compiled with Golang version 1.18.3. Technical Analysis of BianLian Ransomware ![]() Including these libraries makes for a larger file that is harder to distribute, but larger files might also be ignored by antivirus (AV) engines that are trying to optimize for speed. In languages where this is not the case, developers will either include the libraries separately from the main executable, or they will have to hope that the target machine has the needed libraries already installed on their machine. Go libraries are statically linked, which means all the necessary libraries are included in the compiled binary. This feature makes it possible for malware authors to create threats that impact all the major operating systems, if they choose to. Go can compile code for Windows®, Linux®, and OS X®. This concurrency allows for quicker encryption of the target system. To enable this, Go uses “ Goroutines", which allow for asynchronous execution of functions or methods independently from each other. Concurrency means that multiple computations can take place at the same time through a process called multithreading. ![]() Golang comes with a large standard library, garbage collection cleanup, and concurrency support. The language’s official first release was in March 2012, and it quickly became a mainstay language for large industry organizations such as Apple, Google, and IBM. As we discussed in a recent whitepaper, Golang is an open-source programming language designed by Google employees. Go For Speed in MalwareīianLian ransomware is written in Golang. At the time of writing, no one has claimed any relation between these two malware families aside from the name they’ve been given. From there, the threat actor would use a messaging service to deliver command-and-control (C2) commands and steal user credentials. This identically named malware used a dropper from the Google Play store to install a malicious file from the infamous Anubis Banker Trojan. This malicious application was also dubbed “BianLian” by ThreatFabric. And at this point, the group has not claimed any affiliation with any nation state or agenda.īianLian ransomware shares its name with a malicious Android package (APK) application that was previously hosted on the Google Play™ store, but it has since been removed. Why do these operators target English-speaking countries? It’s likely the threat actor is financially motivated rather than politically or geographically orientated. The listed victims have varied origins, including the United States, Australia, and the United Kingdom. ![]() BlackBerry researchers analyzed the list of victims and determined that this group targets corporations rather than specific countries. Their targets have historically included manufacturing, education, healthcare, professional services, energy, banking, financial services, and insurance (BFSI), and the entertainment industry.Īs of September 20, 2022, the group’s leak site includes 23 victims. Research from Cyble found that this threat group targets many different industry sectors. ![]() We can now add a new meaning to the term “Bian Lian,” because a ransomware group took the name and made it their own. The performers are so quick to change the masks that, with the swipe of a fan or the blink of an eye, their costume’s face completely changes. Artists move about the stage in brightly colored outfits and colored masks. Bian Lian is an ancient dramatic art that originates in China. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |