Cybersecurity researchers at cybersecurity firm Bitdefender Labs have discovered that the Iranian-backed APT group Charming Kitten is attacking victims in the US, Europe, the Middle East and India with a new malware dubbed BellaCiao.
BellaCiao is a "personalized dropper" capable of delivering other payloads to a victim computer using commands from a C2 server. According to Bitdefender Labs, each sample delivered was tied to a specific victim and contained hard-coded information such as a company name, specially crafted subdomains, or an associated public IP address.
Specially designed malware (tailored malware) is generally harder to detect because it contains unique code and is designed to avoid detection.
The exact attack vector is unknown, although it is believed that known vulnerabilities in Microsoft Exchange Server or Zoho ManageEngine web applications were used to penetrate systems.
After a successful attack, the hackers try to disable Microsoft Defender using a PowerShell command and establish persistence on the host via a service instance. Also in their attacks, cybercriminals download two Internet Information Services (IIS) modules that are capable of processing incoming instructions and extracting credentials.
BellaCiao is notable for performing a DNS query every 24 hours to resolve the subdomain to an IP address, which is then parsed to extract the commands to be executed on the compromised system.
The IP address communicates with the attacker's DNS server, which sends malicious hard-coded instructions through a fake IP address that mimics the target's real IP address. As a result, additional malware is delivered via hardcoded instructions rather than a traditional download. Depending on the IP address, the chain of attacks leads to the deployment of a web shell that supports the ability to upload and download arbitrary files, as well as execute commands.
A second variant of BellaCiao has also been seen, which replaces the web shell with the Plink tool, a command-line utility for PuTTY designed to establish a reverse proxy connection to a remote server and implement backdoor functions.
In a campaign that has targeted multiple industries and companies, the BellaCiao dropper is configured and deployed against carefully selected victims after indiscriminate exploitation of vulnerable systems. The detected Charming Kitten attacks are especially effective against systems that are poorly maintained, have outdated software or weak passwords, and against small companies that lack detection and response capabilities.