BitDefender details Charming Kitten’s BellaCiao malware targeting multiple victims in US, Europe, Middle East, India

Researchers from Bitdefender Labs identified the modernization of Charming Kitten’s tactics, techniques, and procedures (TTPs), including a new, previously unseen malware called BellaCiao. The malware has been tailored to suit individual targets and exhibits a higher level of complexity, evidenced by a unique communication approach with its command-and-control (C2) infrastructure. The team has identified multiple victims in the U.S. and Europe, but also in the Middle East (Turkey) and India.

“Charming Kitten (also known as APT35/APT42, Mint Sandstorm/PHOSPHORUS, ITG18, UNC788, Yellow Garuda or TA453) is an Iranian state-sponsored APT group associated with the Islamic Revolutionary Guard Corps (IRGC),” Martin Zugec, wrote in a BitDefender Labs’ blog post on Wednesday. “Charming Kitten has been on the radar of the infosec community since 2014 and was infamous for targeting political dissidents, activists, journalists, and individuals protesting oppressive regimes. 

While this group mostly relied on social engineering and spear phishing to achieve its goals, Zugec added that it was known for using sophisticated methods, including the impersonation of well-known researchers or activists.

After a transition of power in Iran in 2021, “cyberattacks attributed to IRGC threat actors started increasing in scope, scale, and sophistication,” Zugec wrote. The IRGC and associated APT groups adopted a more aggressive and confrontational approach and demonstrated a willingness to use force to achieve its objectives. 

During this transitional period, “Charming Kitten (and other associated groups) became more proficient in quickly weaponizing publicly disclosed PoCs. Although they required several weeks to weaponize Log4Shell in 2022, the initial attempts to exploit CVE-2022-47966 in Zoho ManageEngine were identified on the same day the PoC was made public,” Zugec added. 

BitDefender researchers located multiple BellaCiao samples, and each sample collected was tied up to a specific victim and included hardcoded information such as company name, specially crafted subdomains, or associated public IP address. “Because all binaries are highly customized and can reveal information about victims, we are not including information such as MD5 or SHA256 hashes in this report.” 

Furthermore, “all samples that we collected included [dot]pdb paths. PDB (Program DataBase) is a file format used by Microsoft Visual Studio for storing debugging information about an executable or DLL file. We used it to extract build information of the project, including the project name and path that was configured in Visual Studio,” the post added.

The exact initial infection vector is unknown, but “we expect Microsoft Exchange exploit chain (like ProxyShell/ProxyNotShell/OWASSRF) or similar software vulnerability. Primary target was Microsoft Exchange servers. Upon deployment, BellaCiao immediately attempts to disable Microsoft Defender using a PowerShell command. A new service instance is created to establish persistence. Legitimate process names specific to Microsoft Exchange server were used to blend in, a common technique known as masquerading,” the post added.

Threat actors also attempted to download two IIS backdoors – the first one was a build of IIS-Raid, a native IIS module that processes every IIS request, looking for predefined headers with a password and command to execute, and the second backdoor was a [dot]NET IIS module for credential exfiltration, similar to the first one, with different headers. 

The BellaCiao executables run as a service, such as Microsoft Exchange Services Health. The BellaCiao is a dropper malware, designed to deliver other malware payloads onto a victim’s computer system, based on instructions from the C2 server. The payload delivered by BellaCiao is not downloaded but hardcoded into the executable as malformed base64 strings and dumped when requested. 

To receive instructions from the C2 server, BellaCiao is using a unique approach to domain name resolution and parsing of the returned IP address, the post added. “The executable code of BellaCiao compares a resolved IP address returned by a DNS server under the control of a threat actor with an IP address that has been hardcoded into the program. The resolved IP address is like the real public IP address, but with slight modifications that allow BellaCiao to receive further instructions.”

The researchers also added that they also analyzed the second variant of BellaCiao which contains a different payload. “This second variant drops the Plink tool and PowerShell script hardcoded locations. The PowerShell scripts execute the Plink tool for establishing a reverse proxy connection to the C2 to enable interaction with the PowerShell web server.”

The PowerShell web server implements various operations, including command execution, execute script, download file, upload file, upload web logs, report web server start time, report current time, beep, and stop web server. 

Earlier this month, Microsoft said that it has observed over the past several months a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its TTPs. Specifically, this subset has rapidly weaponized N-day vulnerabilities in common enterprise applications and conducted highly-targeted phishing campaigns to quickly and successfully access environments of interest. “This Mint Sandstorm subgroup has also continued to develop and use custom tooling in selected targets, notably organizations in the energy and transportation sectors,” the post added.

“Mint Sandstorm is known to pursue targets in both the private and public sectors, including political dissidents, activist leaders, the Defense Industrial Base (DIB), journalists, and employees from multiple government agencies, including individuals protesting oppressive regimes in the Middle East,” according to Microsoft. “Activity Microsoft tracks as part of the larger Mint Sandstorm group overlaps with public reporting on groups known as APT35, APT42, Charming Kitten, and TA453.”

BitDefender called upon organizations to protect against modern attacks by implementing a defense-in-depth architecture, which involves employing multiple layers of security measures that are designed to protect against a variety of threats. The first step in the process is to reduce the attack surface, which involves limiting the number of entry points that attackers can use to gain access to the systems and prompt patching of newly discovered vulnerabilities. 

In addition to reducing the attack surface, it is important to implement automated protection controls that can detect and block most security incidents before they can cause any harm. Implementing IP, domain, and URL reputation is one of the most effective methods of defeating automated vulnerability exploits.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.