• Thu. Oct 12th, 2023

Iranian Hackers Charming Kitten Create New BellaCiao Malware

Avatar photo

ByEsme Greene

Jun 13, 2023 ,
Iranian Hackers Charming Kitten Create New BellaCiao Malware
Esme Greene
Latest posts by Esme Greene (see all)

Bitdefender Labs’ cybersecurity analysts have reported that the Iranian-backed APT group Charming Kitten has launched a new malware called BellaCiao, which is targeting victims in the Middle East, India, Europe, and the United States.

BellaCiao is a personalized dropper that sends instructions to the target machine from a C2 server to deliver additional payloads. According to Bitdefender Labs, each sample has been associated with a specific victim and contains hard-coded information, such as a corporate name, custom subdomains, or a linked public IP address.

Custom malware, such as BellaCiao, is often difficult to detect because of its unique code and evasion tactics.

While the exact attack vector is unknown, experts speculate that the attackers may have exploited known vulnerabilities in Zoho ManageEngine or Microsoft Exchange Server web applications to compromise the systems.

After successfully infiltrating the target, the attackers attempt to disable Microsoft Defender using a PowerShell command to establish persistence on the system. In addition, they download two Internet Information Services (IIS) modules during their attacks to process incoming commands and extract credentials.

One of the unique features of BellaCiao is that it performs a DNS query every 24 hours to translate a subdomain into an IP address, which is then used to determine the instructions to be executed on the compromised machine.

The IP address communicates with the attacker’s DNS server, which sends malicious hard-coded instructions via a fake IP address that resembles the target’s genuine IP address. As a result, instead of using standard downloads, more malware is sent using hard-coded instructions. This attack chain ultimately leads to the deployment of a web shell that allows for the uploading and downloading of files and the execution of commands, depending on the IP address.

In a second variation of BellaCiao that has been discovered, the Plink tool, a command-line tool for PuTTY used to create a reverse proxy link to a remote server and implement backdoor features, is used in place of the web shell.

Charming Kitten is selectively targeting victims with the BellaCiao dropper after indiscriminately compromising vulnerable systems in a campaign that has targeted various sectors and businesses. The observed attacks are particularly effective against poorly maintained systems with outdated software or weak passwords, as well as small businesses lacking detection and response capabilities.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.