Go to listing page

Charming Kitten Spreads BellaCiao Malware for Concentrated Attacks

Charming Kitten Spreads BellaCiao Malware for Concentrated Attacks
Charming Kitten, an Iranian nation-state group, has modernized its TTPs; it now weaponizes publicly disclosed PoCs in its attacks. Additionally, the threat group has been observed using a previously unseen custom dropper malware, BellaCiao, inspired by an Italian folk song related to resistance fighting.

Capabilities of BelloaCiao

The BellaCiao malware is designed to attack individual targets, as every collected malware sample could be linked to a certain victim and contained hard-coded details such as company name, linked public IP address, or specially crafted subdomains. 
  • It is a personalized dropper capable of deploying other malicious payloads onto a victim machine via commands received from a server controlled by an attacker.
  • The malware uses a unique communication approach with its C2 infrastructure and displays a high level of complexity. 
  • Attackers download two IIS modules (IIS-Raid and DotNet .NET IIS module), which process exfiltrating credentials and incoming instructions.

Initial intrusion tactics

A majority of its victims were found located in the U.S., Turkey, India, Europe, and the Middle East.
  • BellaCiao possibly exploited known vulnerabilities in internet-exposed applications such as Zoho ManageEngine or Exchange Server.
  • The malware performs a DNS request every 24 hours for resolving a subdomain to an IP address. The IP address is parsed to extract the commands that are to be executed on the targeted system.
  • The attack chain leads to the deployment of a web shell which a second variant of BellaCiao substitutes with a Plink tool (a utility for PuTTY), making a reverse proxy connection to a remote server and deploying similar backdoor features.
  • A successful intrusion is followed by an attempt to disable Microsoft Defender with a PowerShell command and establish persistence on the host using the service instance.

Conclusion

Charming Kitten is continuously updating its attack arsenal with new malware, with more sophistication and improved efficiency. Experts suggest implementing a defense-in-depth architecture for staying protected against such attacks. For example, limiting the number of entry points that attackers can take advantage of to gain access to systems and always patching newly disclosed security vulnerabilities. Further, organizations should block malicious domains, IPs, or URLs on all machines.
Cyware Publisher

Publisher

Cyware