When hackers play disguise:
the story of BianLian and security tips
Recently, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) issued a joint cyber risk alert. They aimed to disseminate information about known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) of the BianLian group. This group has become known for extorting ransoms for sensitive data that was uncovered during the FBI and ASD’s ACSC investigations.
This story has received a massive response among cybersecurity teams. Today, we will dive into one of the most notorious threats of recent times — the attacks of the BianLian hacker group. Although it has already distinguished itself with numerous attacks on critical infrastructure in the US and Australia, apparently the criminals are not planning to retire yet.
Who is BianLian?
Sounds like the new K-pop group your niece is a fan of — but unfortunately, no.
Hiding behind the catchy name, BianLian is a cybercriminal group that used to distribute ransomware but then switched to double extortion: data is stolen, encrypted, and threatened to be published.
Hackers work smart: they use legitimate Windows tools, live in RAM, and love it when IT security specialists don't get enough sleep.
The process takes place in several stages. Below, on virtual machines (Windows Server 2019 + Kali Linux), we will recreate an attack inspired by the real actions of BianLian.
Step 1: Initial Access
Let's say the attacker is already inside the network and finds a machine with an open SMB port. What they do is use brute force logins and passwords:
crackmapexec smb 192.168.1.100 -u users.txt -p passwords.txt
We select credentials using pre-prepared lists. If we are lucky, we get an administrator account. Jackpot.
✅ Initial Access — successful.
Stage 2: Credential Dumping
Next, BianLian usually climbs into the "password safe". We are not dragging behind: let's use secretsdump.py, the legendary tool from Impacket:
python3 secretsdump.py Administrator:001.1.861.291%40321droWssaP
We get the NTLM hashes.
✅ Credential Dumping — successful.
Stage 3: Lateral Movement
Here's where the heavy hitters come in:
python3 psexec.py Administrator:001.1.861.291%40321droWssaP
Impacket creates a temporary .exe file, drops it onto a remote host, and runs it via services.exe. We get a shell with SYSTEM privileges — the cyber equivalent of a golden key to all doors.
Moving on: inside, we create a new user, enable RDP via reg.exe, open ports in Windows Firewall, and, of course, don't forget to leave a backdoor.
✅ Lateral Movement — successful.
How will Trellix Endpoint Security behave at each stage of the Cyber Kill Chain?
We get the following picture:
🎯 What has changed:
● crackmapexec finds the password but cannot execute commands or create a service
● There is no longer a treasured mark (Pwn3d!) — that means Trellix blocks remote code execution
● Prevents the launch of cmd.exe, rundll32.exe, and powershell.exe in suspicious context
How does protection work?
Access Protection blocks remote creation of services (via SMB and WMI) and launch of critical executable files from suspicious processes.
But you can also turn Trellix into monitoring mode…
Intrigued? So were we. Here's the result:
● Antivirus sees everything but does not interfere; it just observes
● When attempting remote access with SYSTEM rights, a block is triggered
● The temporary .exe created by psexec.py is immediately deleted
● Adaptive Threat Protection (ATP) is enabled during the On-Execute phase, analyzes the file, checks it against the GTI (Global Reputation System) and removes the malicious.exe
Let's take a closer look at the GTI.
Think Google, but only for malicious files. Over 1 billion sensors worldwide send signals about new threats. File gets a bad reputation? GTI knows, Trellix reacts.
For example:
⚠️ ATP/Suspect!23873bf2670c
Virus found: C:\Windows\RqYwLmeR.exe
Status: Cleared.
Let's move on to blocking the Backdoor.
In the past, the attacker left a trace through cmd.exe by running:
● reg.exe ● netsh.exe ● net.exe ● net1.exe
Now we have set a rule: no launching of these processes via cmd.exe.
The result will please us: Backdoor is cancelled, and the hacker panics.
What if we just closed the ports?
It would be possible not to complicate things.
The Trellix firewall module can close down SMB and RDP, and the whole attack would have crumbled at the very beginning. Watch closely:
And, of course, all attacks are recorded on the host:
And on the ePO centralized management console for further investigation:
To sum it up
We conducted an attack in a lab environment, went through the Cyber Kill Chain stages, and saw the difference.
Stage
Without Trellix
With Trellix
Stage
Stage
Without Trellix
Without Trellix
With Trellix
With Trellix
Initial Access
✅ Successful
⚠️ Blocked
Stage
Initial Access
Without Trellix
✅ Successful
With Trellix
⚠️ Blocked
Credential Dumping
✅ Successful
❌ Prohibited
Stage
Credential Dumping
Without Trellix
✅ Successful
With Trellix
❌ Prohibited
Lateral Movement
✅ Shell SYSTEM
❌ Refusal to launch
Stage
Lateral Movement
Without Trellix
✅ Shell SYSTEM
With Trellix
❌ Refusal to launch
Backdoor
✅ Created
❌ Prohibited
Stage
Backdoor
Without Trellix
✅ Created
With Trellix
❌ Prohibited