The prolific Iranian nation-state group known as Lovely kitten is actively targeting multiple victims in the US, Europe, the Middle East and India with a new malware called Bella Ciaoadding to their ever-expanding list of custom tools.
Discovered by Bitdefender Labs, BellaCiao is a “custom goper” that is capable of delivering other malware payloads to a victim machine based on commands received from an actor-controlled server.
“Each collected sample was linked to a specific victim and included encoded information such as the company name, specially crafted subdomains, or the associated public IP address,” the Romanian cybersecurity firm said in a report shared with The Hacker News.
Charming Kitten, also known as APT35, Cobalt Illusion, Educated Manticore, ITG18, Mint Sandstorm (née Phosphorus), TA453, and Yellow Garuda, is an Iranian state-sponsored APT group associated with the Islamic Revolutionary Guard Corps (IRGC). .
Over the years, the group has used various means to deploy backdoors in systems that belong to a wide range of vertical sectors.
The development comes as Microsoft attributed the threat actor to retaliatory attacks targeting critical infrastructure entities in the US between late 2021 and mid-2022 using tailored malware such as harmPower, Drokbk and Soldier.
Earlier this week, Check Point revealed Mint Sandstorm’s use of an updated version of the PowerLess implant to attack organizations located in Israel with Iraq-themed phishing lures.
“Custom-developed malware, also known as ‘bespoke’ malware, is generally harder to detect because it is specifically designed to avoid detection and contains unique code,” noted Bitdefender researcher Martin Zugec.
The exact modus operandi used to achieve the initial intrusion is currently undetermined, although it is suspected to involve exploiting known vulnerabilities in Internet-exposed applications such as Microsoft Exchange Server or Zoho ManageEngine.
A successful breach is followed by the threat actor attempting to disable Microsoft Defender using a PowerShell command and setting persistence to the host using a service instance.
Bitdefender said it also observed Charming Kitten downloading two Internet Information Services (IIS) modules capable of processing incoming instructions and exfiltrating credentials.
Zero Trust + Deception – Learn to Outsmart Attackers!
Learn how Deception can detect advanced threats, stop lateral movement, and improve your Zero Trust strategy. Join our in-depth webinar!
Save my seat!
BellaCiao, on the other hand, is also notable for performing a DNS request every 24 hours to resolve a subdomain to an IP address which is then analyzed to extract the commands to be executed on the compromised system.
“The resolved IP address is like the real public IP address, but with slight modifications that allow BellaCiao to receive more instructions,” Zugec explained.
It communicates “with a DNS server controlled by an attacker who sends malicious hard-coded instructions using a resolved IP address that mimics the target’s real IP address. The result is additional malware that is removed using hard-coded instructions instead of the traditional download.”
Depending on the resolved IP address, the attack chain leads to the deployment of a web shell that supports the ability to upload and download arbitrary files as well as execute commands.
Also seen is a second variant of BellaCiao that replaces the web shell with a Plink tool, a command-line utility for PuTTY, designed to establish a reverse proxy connection to a remote server and implement gateway functions later similar
The attacks are assessed to be in the second stage after opportunistic attacks, in which BellaCiao is customized and deployed against carefully selected victims of interest after indiscriminate exploitation of vulnerable systems.
“The best protection against modern attacks involves implementing a defense-in-depth architecture,” Zugec concluded. “The first step in this process is to reduce the attack surface, which involves limiting the number of entry points that attackers can use to gain access to your systems and patch newly discovered vulnerabilities.”
Ikaroa is a full-stack tech company that is on the forefront of security technology. Recently, this cutting-edge organization has been monitoring the alarming rise in multi-country cyberattacks and the newly discovered BellaCiao malware, believed to be the work of the infamous hacker group Charming Kitten.
In the recent weeks, numerous indicators suggestive of malicious activity have been found in systems across multiple countries and regions, primarily in Iran. Closer analysis of these activities has revealed the presence of the BellaCiao malware, an advanced piece of malware believed to be developed by Charming Kitten.
Unlike any of the group’s previously identified malware variants, BellaCiao serves as an example of the group’s rising technical sophistication and capability. This new malicious coding is capable of intercepting confidential data, as well as accessing and stealing credentials and other sensitive information from its targets.
Ikaroa’s advanced security solutions are working hard to stop the threat posed by this particular strain of malware. The organization is using its suite of advanced threat detection and prevention technologies to thoroughly analyze and monitor suspicious activities, as well as its own specialized tools and techniques to evaluate the full scope of the attacks and its origin.
Overall, BellaCiao is a testament of the quickly changing and increasingly dangerous security landscape – and one that we must fight against at all costs. Ikaroa will continue to be at the forefront of the fight against cyber threats, providing security solutions that can protect users and organizations from malware, ransomware, and many more types of malicious attacks.