Charming Kitten's New Malware

11038585896?profile=RESIZE_400xThe nasty Iranian nation-state APT group known as Charming Kitten is actively targeting multiple victims in the US, Europe, the Middle East, and India with a new malware named BellaCiao, adding to its ever-expanding list of custom tools.  Discovered by Bitdefender Labs, BellaCiao is a "Personalized dropper" that is capable of delivering other malware payloads onto a victim machine based on commands received from an actor-controlled server.  The attackers appear to customize their attacks for each victim, including the malware binary, which contains hardcoded information such as company names, custom subdomains, and IP addresses. Debugging information and file paths from a compilation that was left inside the executable suggest the attackers are organizing their victims into folders by country code, such as IL (Israel), TR (Turkey), AT (Austria), IN (India), or IT (Italy).[1]

Charming Kitten, also known as APT35, Cobalt Illusion, Educated Manticore, ITG18, Mint Sandstorm (née Phosphorus), TA453, and Yellow Garuda, is an Iranian state-sponsored APT group associated with the Islamic Revolutionary Guard Corps (IRGC). Over the years, the group has utilized various means to deploy backdoors in systems belonging to various industry verticals.

See:  https://redskyalliance.org/xindustry/charming-kitten-is-a-bad-kitty

See:  https://redskyalliance.org/xindustry/charming-kitten-does-not-make-a-good-pet

The development comes as Microsoft attributed the threat actor to retaliatory attacks aimed at critical infrastructure entities in the US between late 2021 to mid-2022 using malware such as CharmPower, Drokbk, and Soldier.  Recently, Check Point disclosed Mint Sandstorm's use of an updated version of the PowerLess implant to strike organizations in Israel using Iraq-themed phishing lures.  Custom-developed malware, or 'tailored' malware, is generally harder to detect because it is specifically crafted to evade detection and contains unique code.

The exact method used to achieve initial intrusion is currently undetermined. However, it's suspected to entail the exploitation of known vulnerabilities in internet-exposed applications like Microsoft Exchange Server or Zoho ManageEngine.

A successful breach is followed by the threat actor attempting to disable Microsoft Defender using a PowerShell command and establishing persistence on the host via a service instance.

Bitdefender said it also observed Charming Kitten downloading two Internet Information Services (IIS) modules capable of processing incoming instructions and exfiltrating credentials.

BellaCiao, for its part, is notable for performing a DNS request every 24 hours to resolve a subdomain to an IP address that's subsequently parsed to extract the commands to be executed on the compromised system.  The resolved IP address is like the real public IP address but with slight modifications that allow BellaCiao to receive further instructions.

It communicates "with an attacker-controlled DNS server that sends malicious hard-coded instructions via a resolved IP address that mimics the target's real IP address.  Additional malware is dropped via hard-coded instructions rather than traditional download."  Depending on the resolved IP address, the attack chain leads to the deployment of a web shell that supports the ability to upload and download arbitrary files and run commands.

Also identified is a second variant of BellaCiao that substitutes the web shell for a Plink tool, a command-line utility for PuTTY that is designed to establish a reverse proxy connection to a remote server and implement similar backdoor features.

The campaign, which has targeted many industries and company sizes, is assessed to be an outcome of opportunistic attacks, where BellaCiao is customized and deployed against carefully selected victims of interest following indiscriminate exploitation of vulnerable systems.  This type of attack is particularly effective against systems that are not well-maintained, have outdated software or security patches, have weak passwords, or, in many cases, smaller companies that do not have detection and response capabilities.  With the increasing popularity of vulnerability exploits and automated attacks, even small companies can become a target for state-affiliated threat actors.  The best protection against modern attacks involves implementing a defense-in-depth architecture.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com 

Weekly Cyber Intelligence Briefings:

Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941    
Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989    

 

[1] https://thehackernews.com/2023/04/charming-kittens-new-bellaciao-malware.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!