The prolific Iranian nation-state group known as the charming kitten Targeted multiple victims in the United States, Europe, the Middle East, and India with a new malware called Bellachaoadded to the ever-growing list of custom tools.
Discovered by Bitdefender Labs, BellaCiao is a “personalized dropper” that can deliver other malware payloads to a victim’s machine based on commands received from an attacker-controlled server.
“Each collected sample was associated with a specific victim and contained hardcoded information such as company names, specially crafted subdomains, or associated public IP addresses,” it said. The Romanian cybersecurity firm said in a report shared with The Hacker News.
Charming Kitten, also known as APT35, Cobalt Illusion, Educated Manticore, ITG18, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda, is an Iranian government-backed APT group affiliated with the Islamic Revolutionary Guard Corps (IRGC).
Over the years, this group has used a variety of means to deploy backdoors into systems belonging to various industries.
Attackers used bespoke malware such as harmPower, Drokbk, and Soldier to carry out retaliatory attacks against critical infrastructure entities in the United States in late 2021 and mid-2022, according to Microsoft. , the development of this time took place.
Then, earlier this week, Check Point revealed that Mint Sandstorm used an updated version of the PowerLess implant to attack an organization located in Israel using an Iraqi-themed phishing lure.
According to Bitdefender researcher Martin Zugec, “Custom-developed malware, also known as ‘customized’ malware, is commonly used because it is written specifically to evade detection and contains unique code. difficult to detect.
It is suspected of exploiting known vulnerabilities in internet-facing applications such as Microsoft Exchange Server and Zoho ManageEngine, but the exact tactics used to achieve the initial intrusion are currently unknown.
After a successful compromise, the attacker will attempt to disable Microsoft Defender using PowerShell commands and establish persistence on the host via a service instance.
Bitdefender also states that Charming Kitten has downloaded two Internet Information Services (IIS) modules that can process incoming commands and steal credentials.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Save my seat!
BellaCiao is also known to perform DNS requests every 24 hours to resolve subdomains to IP addresses. This IP address is then parsed to extract commands to be executed on the compromised system.
“Resolved IP addresses are similar to real public IP addresses, with slight modifications to allow BellaCiao to receive further instructions,” Zugec explains.
Depending on the resolved IP address, the attack chain leads to the deployment of a web shell that supports arbitrary file uploads and downloads and command execution.
A second variant of BellaCiao that also uses a web shell instead of the Plink tool (PuTTY’s command-line utility) designed to establish a reverse proxy connection to a remote server and implement similar backdoor functionality. has also been discovered.
“The best protection against modern attacks requires implementing a defense-in-depth architecture,” concludes Zugec. “The first step in this process is to reduce the attack surface. This includes limiting the number of points of entry an attacker can use to gain access to a system, This includes rapid patching of vulnerabilities identified.”
