Analysis Summary

A C++ version of the well-known malware BellaCiao has been seen being used by the Iranian nation-state APT group Charming Kitten. Researchers who named the new variant BellaCPP found the artifact as part of a recent investigation into a hacked machine in Asia that was also infected with the malware.

In April 2023, researchers published the first documentation about BellaCiao, characterizing it as a customized dropper that could deliver extra payloads. The APT has used the malware in cyberattacks against India, the Middle East, and the United States. The Charming Kitten threat actor has created numerous custom malware families over the years, and this is one of them. The advanced persistent threat (APT) group is affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC). It goes by the following names: APT35, CALANQUE, Charming Kitten, CharmingCypress, ITG18, Mint Sandstorm (formerly Phosphorus), Newscaster, TA453, and Yellow Garuda.

According to the researchers, BellaCiao attacks have been found to weaponize known security flaws in publicly accessible applications such as Microsoft Exchange Server or Zoho ManageEngine, despite the group's history of planning and executing devious social-engineering campaigns to win over targets and spread malware. The malware family BellaCiao, based on .NET, gives an infiltration a distinctive twist by fusing the ability to create a covert tunnel with the stealthy persistence of a web shell.

With code to load another unknown DLL ("D3D12_1core.dll") that is probably used to establish an SSH tunnel, the C++ version of BellaCiao is a DLL file called "adhapl.dll" that provides the same functionalities as its parent. The absence of a web shell, which BellaCiao uses to run commands and upload and download arbitrary files, is exclusive to BellaCPP. This is a high-level C++ rendition of the BellaCiao samples that do not have the web shell capabilities. BellaCPP makes use of domains that were previously linked to the threat actor.

Impact

• Command Execution
• Sensitive Data Theft

Indicators of Compromise

Domain Name

• systemupdate.info

MD5

• 14f6c034af7322156e62a6c961106a8c
• 44d8b88c539808bb9a479f98393cf3c7
• e24b07e2955eb3e98de8b775db00dc68
• 8ecd457c1ddfbb58afea3e39da2bf17b
• 103ce1c5e3fdb122351868949a4ebc77
• 28d02ea14757fe69214a97e5b6386e95
• 4c6aa8750dc426f2c676b23b39710903
• ac6ddd56aa4bf53170807234bc91345a
• 36b97c500e36d5300821e874452bbcb2
• febf2a94bc59011b09568071c52512b5
• ac4606a0e10067b00c510fb97b5bd2cc

SHA-256

• 7e761786ff674de0adcbd62ed6adcb5237b2e23d5e6e2a4799f23037463513c5
• 5f2c954dc7b35c4d31084ce43d7e5f88ffd803f848dbdd77f3112aca01325d06
• 5ecbfc037a992fa71b6da1229308840692589f019f5ffd77efaefecd322179f1
• 1bcb35deb900c2c12f2b96071a24023a026ffb09464cfd446f8bf6d928c1365e
• c8ac671b0ab1bddabb229a0f28d0e52b2efbcc7415254ceb720452fa4ac7942a
• b2b3e8b3da25215ff5dc3965da852a27fefde958c6d06ddffe36087bd0f6d1a5
• 6a5f8868456ce708c7d6318c10a27bfb576da1a02ff8f8575d2007f5c2f88e54
• d967148e4289fd6b831c4bc9ec5bb808a384bd7d334fb2d1ab3a498f680315c7
• 8dd77dfd8da749741fa9aadbe82e62b273c1c3565debbb753fafedb18a9f50c0
• 0f696b7505255119b3ca53f57c2f829fc282d227d7a1577e698687a199800ef1
• 81b6911bec25c314c256e3e04e1826169359bfcbbed76acd14f18a05baf0a28a

SHA1

• 2d22f3744a9dada4638486fb26b3404364c1418b
• 1dd27a926e98c9305bd1689a9f7c33e0e3070d4b
• 2873d5c7b215a68bf02697ba169078919aeee474
• 0431fe37bf744d5416e2f2a3220c5dc696e0fda3
• 9f6c7d3f02f6e214f56c3a3fc218a564fb8cb3c0
• d0eb6cb3ca82d2d2e1d30af4dfe7ed744111c6d7
• 7697329bd6afaa0874e8ef1ae81ad27baa1863ec
• ac5b30aea5f5c36ff6918a7545740f7fb4301650
• 7995fc3ee9a9a97561774d1652a768d9586c259a
• 74d53b909c75c5850c0c0eaad71ad98ca3546064
• d3d67296c8fe2b10a3626eeee0b9bcc26157de99

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your antivirus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software on time and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and antimalware software and update signature definitions on time. Using multilayered protection is necessary to secure vulnerable assets.
• Enforce strong password policies across the organization. Encourage the use of complex passwords and enable multifactor authentication (MFA) wherever possible to add an extra layer of security.
• Deploy reliable endpoint protection solutions that include antivirus, antimalware, and host-based intrusion prevention systems (HIPS) to detect and block malicious activities.
• Utilize web filtering and content inspection tools to block access to malicious websites and prevent users from downloading malicious files.
• Deploy IDPS solutions to detect and block suspicious network traffic and intrusions.
• Conduct regular vulnerability assessments and penetration testing to identify weaknesses in the network infrastructure and address them before attackers exploit them.
• Continuously monitor network traffic and security logs for any signs of suspicious activities. Stay updated on the latest threat intelligence to understand the tactics, techniques, and procedures (TTPs) employed by the Sidewinder APT group and other threat actors.