‘BellaCiao’ Showcases How Iran’s Threat Groups Are Modernizing Their Malware
A new malware strain that has been landing on systems belonging to organizations in the US, Europe, Turkey, and India has provided another indication of how Iran’s state-backed cyber-threat groups have been systematically modernizing their arsenals in recent years.
The malware, dubbed “BellaCiao,” is a dropper that Iran’s Charming Kitten advanced persistent threat (APT) group has been using in a highly targeted manner in recent months to gain and maintain unobtrusive initial access on target systems.
A Highly Customized Threat
Researchers at Bitdefender discovered the new malware when investigating activity related to three other recent malware tools associated with Charming Kitten. Their analysis of the malicious code — summarized in a blog post this week — uncovered a couple of features that set it apart from many other malware samples.
One was the specifically targeted nature of the dropper that ended up on each victim’s system. The other was BellaCiao’s unique and hard-to-detect style of communicating with its command-and-control (C2) server.
“Each sample we’ve collected is custom-built for each victim,” says Martin Zugec, technical solutions director at Bitdefender. Each sample includes hard-coded information that is specific to the victim organization, such as the company’s name, public IP addresses, and specially crafted subdomains.
Charming Kitten’s apparent intention in making the malware victim-specific is to blend in on host systems and networks, Zugec says. For instance, the subdomains and IP addresses the malware uses in interacting with the C2 are similar to the real domain and public IP addresses of the victim. Bitdefender’s analysis of the malware’s build information showed its authors had organized victims in different folders with names that indicated the countries in which they were located. The security vendor found that Charming Kitten actors used victim-optimized versions of BellaCiao, even when the target victim was from a noncritical sector.
Unique Approach to Receiving C2 Commands
Zugec says the manner in which BellaCiao interacts with the C2 server and receives command from it is also unique. “The communication between implant and C2 infrastructure is based…
