Charming Kitten’s New BellaCiao Malware Discovered in Multi-Country Attacks

April 26, 2023Rabbi Lakshmanan

the prolific Iranian nation-state group known as the charming kitten is actively targeting multiple victims in the United States, Europe, the Middle East, and India, and is referred to as a new malware. Bellachaoadded to the ever-growing list of custom tools.

Discovered by Bitdefender Labs, BellaCiao is a “personalized dropper” that can deliver other malware payloads to a victim’s machine based on commands received from an attacker-controlled server.

“Each collected sample was associated with a specific victim and contained hardcoded information such as company names, specially crafted subdomains, and associated public IP addresses,” said Romania. cyber security company Said In a report shared with The Hacker News.

Charming Kitten, also known as APT35, Cobalt Illusion, Educated Manticore, ITG18, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda, is an Iranian government-backed APT group affiliated with the Islamic Revolutionary Guard Corps (IRGC).

Over the years, this group has used a variety of means to deploy backdoors into systems belonging to various industries.

Attackers used bespoke malware such as harmPower, Drokbk, and Soldier to carry out retaliatory attacks against critical infrastructure entities in the United States in late 2021 and mid-2022, according to Microsoft. , the development of this time took place.

Then, earlier this week, Check Point revealed that Mint Sandstorm used an updated version of the PowerLess implant to attack an organization located in Israel using an Iraqi-themed phishing lure.

According to Bitdefender researcher Martin Zugec, “Custom-developed malware, also known as ‘customized’ malware, is commonly used because it is written specifically to evade detection and contains unique code. difficult to detect.

It is suspected of exploiting known vulnerabilities in internet-facing applications such as Microsoft Exchange Server and Zoho ManageEngine, but the exact tactics used to achieve the initial intrusion are currently unknown.

After a successful compromise, the attacker will attempt to disable Microsoft Defender using PowerShell commands to establish persistence on the host. service instance.

Bitdefender also states that Charming Kitten has downloaded two Internet Information Services (IIS) modules that can process incoming commands and steal credentials.

BellaCiao is also known to perform DNS requests every 24 hours to resolve subdomains to IP addresses. This IP address is then parsed to extract commands to be executed on the compromised system.

“Resolved IP addresses are similar to real public IP addresses, with slight modifications to allow BellaCiao to receive further instructions,” Zugec explains.

“Communicates with attacker-controlled DNS servers that send malicious hardcoded instructions through resolved IP addresses that mimic the real IP address of the target. As a result, instead of traditional downloads, Additional malware is dropped via hardcoded instructions.”

Depending on the resolved IP address, the attack chain leads to the deployment of a web shell that supports arbitrary file uploads and downloads and command execution.

We also found a second variant of BellaCiao that replaces the web shell with the Plink tool, PuTTY’s command-line utility. Reverse proxy connection It sends to remote servers and implements similar backdoor functionality.

The attack has been assessed as being in the second stage after an opportunistic attack, BellaCiao being customized and deployed to carefully selected targeted victims following indiscriminate exploitation of vulnerable systems. .

“The best protection against modern attacks requires implementing a defense-in-depth architecture,” concludes Zugec. “The first step in this process is to reduce the attack surface. This includes limiting the number of points of entry an attacker can use to gain access to a system, This includes rapid patching of vulnerabilities identified.”