- BlackBit and LokiLocker Ransomware Attacks are on the Rise in Russia - August 17, 2023
- How Can Phishing be Used to Make Governmental Services a “Profitable Business”? - August 16, 2023
- The Most Dangerous Hacker Tools and How to Detect Them - August 16, 2023
Bitdefender Labs’ cybersecurity analysts have reported that the Iranian-backed APT group Charming Kitten has launched a new malware called BellaCiao, which is targeting victims in the Middle East, India, Europe, and the United States.
BellaCiao is a personalized dropper that sends instructions to the target machine from a C2 server to deliver additional payloads. According to Bitdefender Labs, each sample has been associated with a specific victim and contains hard-coded information, such as a corporate name, custom subdomains, or a linked public IP address.
Custom malware, such as BellaCiao, is often difficult to detect because of its unique code and evasion tactics.
While the exact attack vector is unknown, experts speculate that the attackers may have exploited known vulnerabilities in Zoho ManageEngine or Microsoft Exchange Server web applications to compromise the systems.
After successfully infiltrating the target, the attackers attempt to disable Microsoft Defender using a PowerShell command to establish persistence on the system. In addition, they download two Internet Information Services (IIS) modules during their attacks to process incoming commands and extract credentials.
One of the unique features of BellaCiao is that it performs a DNS query every 24 hours to translate a subdomain into an IP address, which is then used to determine the instructions to be executed on the compromised machine.
The IP address communicates with the attacker’s DNS server, which sends malicious hard-coded instructions via a fake IP address that resembles the target’s genuine IP address. As a result, instead of using standard downloads, more malware is sent using hard-coded instructions. This attack chain ultimately leads to the deployment of a web shell that allows for the uploading and downloading of files and the execution of commands, depending on the IP address.
In a second variation of BellaCiao that has been discovered, the Plink tool, a command-line tool for PuTTY used to create a reverse proxy link to a remote server and implement backdoor features, is used in place of the web shell.
Charming Kitten is selectively targeting victims with the BellaCiao dropper after indiscriminately compromising vulnerable systems in a campaign that has targeted various sectors and businesses. The observed attacks are particularly effective against poorly maintained systems with outdated software or weak passwords, as well as small businesses lacking detection and response capabilities.