BellaCiao Malware

The prolific Iranian nation-state group known as Charming Kitten is actively targeting multiple victims in the U.S., Europe, the Middle East and India with a novel malware dubbed BellaCiao, adding to its ever-expanding list of custom tools.

Discovered by Bitdefender Labs, BellaCiao is a "personalized dropper" that's capable of delivering other malware payloads onto a victim machine based on commands received from an actor-controlled server.

"Each sample collected was tied up to a specific victim and included hard-coded information such as company name, specially crafted subdomains, or associated public IP address," the Romanian cybersecurity firm said in a report shared with The Hacker News.

Charming Kitten, also known as APT35, Cobalt Illusion, Educated Manticore, ITG18, Mint Sandstorm (née Phosphorus), TA453, and Yellow Garuda, is an Iranian state-sponsored APT group associated with the Islamic Revolutionary Guard Corps (IRGC).

Over the years, the group has utilized various means to deploy backdoors in systems belonging to a wide range of industry verticals.

Cybersecurity

The development comes as the threat actor was attributed by Microsoft to retaliatory attacks aimed at critical infrastructure entities in the U.S. between late 2021 to mid-2022 using bespoke malware such as CharmPower, Drokbk, and Soldier.

Then earlier this week, Check Point disclosed Mint Sandstorm's use of an updated version of the PowerLess implant to strike organizations located in Israel using Iraq-themed phishing lures.

"Custom-developed malware, also known as 'tailored' malware, is generally harder to detect because it is specifically crafted to evade detection and contains unique code," Bitdefender researcher Martin Zugec noted.

The exact modus operandi used to achieve initial intrusion is currently undetermined, although it's suspected to entail the exploitation of known vulnerabilities in internet-exposed applications like Microsoft Exchange Server or Zoho ManageEngine.

A successful breach is followed by the threat actor attempting to disable Microsoft Defender using a PowerShell command and establishing persistence on the host via a service instance.

Bitdefender said it also observed Charming Kitten downloading two Internet Information Services (IIS) modules capable of processing incoming instructions and exfiltrating credentials.

Cybersecurity

BellaCiao, for its part, is notable for performing a DNS request every 24 hours to resolve a subdomain to an IP address that's subsequently parsed to extract the commands to be executed on the compromised system.

"The resolved IP address is like the real public IP address, but with slight modifications that allow BellaCiao to receive further instructions," Zugec explained.

It communicates "with an attacker-controlled DNS server that sends malicious hard-coded instructions via a resolved IP address that mimics the target's real IP address. The result is additional malware dropped via hard-coded instructions rather than traditional download."

Depending on the resolved IP address, the attack chain leads to the deployment of a web shell that supports the ability to upload and download arbitrary files as well as run commands.

Also spotted is a second variant of BellaCiao that substitutes the web shell for a Plink tool – a command-line utility for PuTTY – that's designed to establish a reverse proxy connection to a remote server and implement similar backdoor features.

The campaign, which has singled out a plethora of industries and company sizes, is assessed to be an outcome of opportunistic attacks, wherein BellaCiao is customized and deployed against carefully selected victims of interest following indiscriminate exploitation of vulnerable systems.

"This type of attack is particularly effective against systems that are not well-maintained, have outdated software or security patches, have weak passwords – or in many cases, smaller companies that don't have detection and response capabilities," Zugec told The Hacker News.

"With increasing popularity of vulnerability exploits and automated attacks, even small companies can become a target for state-affiliated threat actors. The best protection against modern attacks involves implementing a defense-in-depth architecture."


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.