Charming Kitten’s New BellaCiao Malware Found in Multi-Country Attack

April 26, 2023Ravie Lakshmanan

The prolific group of Iranian nation-states is known as Charming Kitten actively targeting multiple victims in the US, Europe, Middle East, and India with the newly dubbed malware BellaCiaoadding to an ever-expanding list of custom tools.

Discovered by Bitdefender Labs, BellaCiao is a “personalized dropper” capable of delivering other malware payloads to victim machines based on commands received from an actor-controlled server.

“Each sample collected is associated with a specific victim and includes hard-coded information such as company name, specially created subdomain or associated public IP address,” the Romanian cybersecurity firm said in a report shared with The Hacker News.

Charming Kitten, also known as APT35, Cobalt Illusion, Educated Manticore, ITG18, Mint Sandstorm (née Phosphorus), TA453, and Yellow Garuda, is an Iranian state-sponsored APT group associated with the Islamic Revolutionary Guard Corps (IRGC).

Over the years, the group has used a variety of ways to deploy backdoors in systems belonging to various industry verticals.

The development comes as threat actors are associated by Microsoft with counterattacks aimed at critical infrastructure entities in the US between late 2021 and mid-2022 using bespoke malware such as harmPower, Drokbk, and Soldier.

Then earlier this week, Check Point disclosed Mint Sandstorm’s use of the latest version of its PowerLess implant to attack organizations located in Israel using Iraqi-themed phishing baits.

“Custom developed malware, also known as ‘customized’ malware, is generally more difficult to detect because it is specially built to evade detection and contains unique code,” said Bitdefender researcher Martin Zugec.

The exact modus operandi used to achieve the initial intrusion is currently undetermined, although it is suspected to require exploitation of a known vulnerability in an internet exposed application such as Microsoft Exchange Server or Zoho ManageEngine.

The successful breach was followed by the threat actor attempting to disable Microsoft Defender using a PowerShell command and establishing persistence on the via host service sample.

Bitdefender said they also observed Charming Kitten download two Internet Information Services (IIS) modules capable of processing login instructions and exfiltrating credentials.

BellaCiao, for its part, is also notorious for performing DNS queries every 24 hours to resolve subdomains to IP addresses which are then parsed to extract commands to be executed on compromised systems.

“Resolved IP addresses are like real public IP addresses, but with slight modifications that allow BellaCiao to receive further instructions,” explains Zugec.

It communicates “with an attacker-controlled DNS server that sends malicious hard-coded instructions via a resolved IP address that mimics the target’s real IP address. The result is additional malware that is dropped via hard-coded instructions rather than a traditional download.”

Depending on the resolved IP address, the chain of attack leads to the deployment of a web shell that supports the ability to upload and download arbitrary files and execute commands.

Also visible is a second BellaCiao variant that replaces the web shell for the Plink tool – the command-line utility for PuTTY – designed to make reverse proxy connection to a remote server and implement a similar backdoor feature.

The attack is considered to be in its second phase after opportunistic attacks, in which BellaCiao is customized and deployed against carefully selected victims after indiscriminate exploitation of vulnerable systems.

“The best protection against modern attacks involves implementing a deep defense architecture,” Zugec concludes. “The first step in this process is reducing the attack surface, which involves limiting the number of entry points an attacker can use to gain access to your system and quickly patch any newly discovered vulnerabilities.”