HQ/EMEAFind out how we can help your business
The Iran state-sponsored hacking group, Charming Kitten, has updated its tactics, techniques, and procedures (TTPs) to launch the BellaCiao malware in its current cybercriminal operation. Researchers explained that the malware authors designed the malicious weapon to attack individual targets since every observed malware sample could link to a particular victim.
The campaign could harvest hard-coded details such as company name, specially crafted subdomains, and public IP address. Moreover, the malware is a personalised dropper that could deploy additional payloads onto a victim’s device through prompts from an attacker-controlled server.
BellaCiao also utilises a unique communication approach with its command-and-control infrastructure and displays sophistication. Threat actors download several IIS modules, which process exfiltrating credentials and incoming instructions.
The BellaCiao malware allegedly leverages bugs within internet-exposed apps to propagate and infect different targets worldwide.
BellaCiao malware could have exploited previously identified vulnerabilities within publicly exposed applications like the Exchange Server and Zoho ManageEngine.
In addition, most of the new campaign’s victims came from various countries on different continents, such as India, the Middle East, Europe, and the United States. The malware runs a daily DNS request for resolving a subdomain to an IP address.
The attack parses the IP address to extract the commands that need to run on the targeted system. The attack chain results in launching a web shell, which a second version of BellaCiao replaced with a Pink tool, creating a reverse proxy connection to a distant server and spreading similar backdoor tools.
Experts noted that successful execution of the attack could lead to an attempt to deactivate Microsoft Defender with a PowerShell command and obtain persistence on the host through the service instance.
This Iranian state-sponsored malicious operation has continuously updated its weapons with new malware strains, sophisticated tools, and improved efficiency. Cybersecurity experts now recommend that users implement a defence-in-depth architecture to stay protected against such attacks.
One example of this suggestion is that users should limit the number of entry points the attacker could exploit to establish persistence and deploy malware. Individuals, firms, and organisations should block compromised URLs, IPs, and domains on all devices.
