On April 26, 2023, BitDefender Labs researchers reported the technical details of a new custom malware named BellaCiao they attribute to the Iranian Charming Kitten advanced persistent threat (APT).
Context
According to the report, “This malware is tailored to suit individual targets and exhibits a higher level of complexity, evidenced by a unique communication approach with its command-and-control (C2) infrastructure.” BitDefender reported that samples of BellaCiao they analyzed targeted organizations in the United States, Europe, the Middle East (Turkey), and Asia (India).
Technical Details
According to the report,
- “The BellaCiao is a dropper malware – it is designed to deliver other malware payloads onto a victim’s computer system, based on instructions from C2 server. The payload delivered by BellaCiao is not downloaded but hardcoded into the executable as malformed base64 strings and dumped when requested.”
- Each sample analyzed was tailored to a specific target with hardcoded data such as company name, specific subdomains, and public IP addresses.
- All samples included PDB paths and included folders organizing targets by country.
- The initial infection vector is unknown, but BitDefender researchers assess that a Microsoft Exchange exploit chain or similar vulnerability was leveraged, since the primary target of the campaign was Microsoft Exchange servers.
- The malware establishes persistence by creating a new service instance disguised by including legitimate Exchange process names.
IOCs
BitDefender researchers shared the following indicators of compromise (IOCs):
Indicator | Type | Notes |
4812449f7fad6 | MD5 | Plink tool is used for establishing reverse proxy connections to the C2 server. The address is provided by the parent PowerShell script. |
3fbea74b92f418 | MD5 | The Plink tool used for the same purpose but executed using the wmic[.]exe tool -> |
c450477ed9c347 | MD5 | The PowerShell script implements the HTTP server for executing commands[.] It executes the C:\ProgramData\Microsoft\DRMS\JavaUpdateServices[.]exe for communicating with mail-updateservice[[.]]info[.] |
c6f394847eb3dc2 | MD5 | The PowerShell script implements the HTTP server for executing commands[.] It executes the C:\ProgramData\Microsoft\DRMS\JavaUpdateServices[.]exe for communicating with mail-updateservice[[.]]info[.] |
7df50cb7d46206 | MD5 | The PowerShell script implements the HTTP server for executing commands[.] It executes the C:\ProgramData\Microsoft\DRMS\JavaUpdateServices[.]exe for communicating with mail-updateservice[[.]]info[.] |
e7149c402a377 | MD5 | The PowerShell script implements the HTTP server for executing commands[.] It executes the C:\ProgramData\Microsoft\DRMS\JavaUpdateServices[.]exe for communicating with mail-updateservice[[.]]info[.] |
284cdf5d2b293 | MD5 | The PowerShell script implements the HTTP server for executing commands[.] It executes the C:\ProgramData\Microsoft\Diagnostic\MicrosoftExchangeServicesLog[.]exe for communicating with mailupdate[[.]]com and msn-service[[.]]co[.] |
2daa29f965f6614 | MD5 | The Powershell script implements the HTTP server for executing commands[.] It executes the C:\ProgramData\Microsoft\Diagnostic\MicrosoftExchangeDiagnosticServices[.]exe for communicating with maill-support[[.]]com and msn-center[[.]]uk[.] |
f56a6da833289f | MD5 | 88[.]80[.]+C2:C10148[.]162 |
mail-updateservice[.]info | Domain | |
msn-center[.].uk | Domain | |
msn-service[.]co | Domain | |
twittsupport[.]com | Domain | |
mailupdate[.]info | Domain | |
maill-support[.]com | Domain | |
88[.]80[.]148[.]162 | IP Address |
