Iranian Charming Kitten APT Used a New BellaCiao Malware in Recent Wave of Attacks

Cyber Security Threat Summary:
“Iran-linked Charming Kitten group, (aka APT35, Phosphorus, Newscaster, and Ajax Security Team) made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media. Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011 targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the U.K., Israel, Iraq, and Saudi Arabia” (Security Affairs, 2023).

New research from Bitdefender highlights a new campaign using a sophisticated piece of custom malware called BellaCiao that is tailored for individual targets. Since 2021, Iranian APT groups have adopted a more aggressive strategy, quickly weaponizing publicly disclosed proof of concepts (PoCs).

Bitdefender identified multiple samples of the BellaCiao malware, each of them was customized to target a specific victim and included hardcoded information such as company name, specially crafted subdomains, or associated public IP address. “All samples that we collected included .pdb paths. PDB (Program DataBase) is a file format used by Microsoft Visual Studio for storing debugging information about an executable or DLL file.” reads the report published by Bitdefender. The researchers used it to extract build information of project, including the project name and path that was configured in Visual Studio. “Using information from these files, we can learn that victims were organized in different folders by country, using folder names like IL(Israel), TR(Turkey), AT(Austria), IN(India) or IT(Italy)”

Security Officer Comments:
Specifically, BellaCiao’s goal is to act as a dropper for other malware payloads. Most notably, attackers are using Microsoft Exchange exploits like ProxyShell, ProxyNotShell, and OWASSRF to deploy the malware. Once deployed, BellaCiao immediately attempts to disable Microsoft Defender using a PowerShell command.

The malware achieves persistence via a new service instance, experts also observed the attackers attempting to download two IIS backdoors from 188[.]165[.]174[.]199:18080. BellaCiao parses the return IP address to receive instructions from a C2 server. The malware performs a DNS request every 24 hours to resolve a subdomain that is hardcoded uniquely for each victim.

“The executable code of BellaCiao compares a resolved IP address returned by a DNS server under the control of a threat actor with an IP address that has been hardcoded into the program. The resolved IP address is like the real public IP address, but with slight modifications that allow BellaCiao to receive further instructions.” reads the report published by the experts.

Another variant of BellaCiao analyzed by the experts contains different payload, it drops the Plink tool and PowerShell script hardcoded locations. The PowerShell scripts executes the Plink tool to set up a reverse proxy connection to the C2 to enable interaction with the PowerShell web server


T1190 - Exploit Public-Facing Application
The exact initial infection vector is unknown, but we expect Microsoft Exchange exploit chain (like ProxyShell/ProxyNotShell/OWASSRF) or similar software vulnerability. Primary target was Microsoft Exchange servers.

T1562.001 - Impair Defenses: Disable or Modify Tools
BellaCiao immediately attempts to disable Microsoft Defender using PowerShell commands.

T1543.003 - Create or Modify System Process: Windows Service
T1036.004 - Masquerading: Masquerade Task or Service
A new service instance is created to establish persistence. Legitimate process names specific to Microsoft Exchange server were used to blend in, a common technique known as masquerading

T1203 - Exploitation for Client Execution
The BellaCiao executable is written to one of the following locations:

C:\ProgramData\Microsoft\DRMS\Microsoft Exchange Services Health[.]exe
C:\ProgramData\Microsoft\Diagnostic\Exchange Agent Diagnostic Services[.]exe
C:\Users\Public\Microsoft\Diagnostic\Microsoft Services Diagnostics Logs[.]exe

T1071.004 - Application Layer Protocol: DNS
A DNS request is performed every 24 hours to resolve a subdomain (hardcoded string unique for each victim).

T1105 - Ingress Tool Transfer The BellaCiao is a dropper malware – it is designed to deliver other malware payloads onto a victim’s computer system, based on instructions from C2 server. The payload delivered by BellaCiao is not downloaded but hardcoded into the executable as malformed base64 strings and dumped when requested.

T1059.001 - Command and Scripting Interpreter: PowerShell
PowerShell web server implements the following operations:

  • Command execution
  • Execute script
  • Download file

  • Upload file
  • Upload web logs
  • Report web server start time
  • Report current time
  • Beep
  • Stop web server

    Suggested Corrections:
    “The best protection against modern attacks involves implementing a defense-in-depth architecture,” concludes the report. “The first step in this process is to reduce the attack surface, which involves limiting the number of entry points that attackers can use to gain access to your systems and prompt patching of newly discovered vulnerabilities” (BitDefender, 2023).