BellaCiao is a highly customized dropper linked to Charming Kitten (APT35) that targets US, European, Middle Eastern, and Indian victims with victim-specific data and C2 communication. The implant combines a tailored payload, a DNS-based command channel, and multiple backdoors/web shells to enable stealthy, persistent access and flexible payload delivery. Hashtags: #BellaCiao #CharmingKitten #IRGC #ProxyShell #OWASSRF
Keypoints
- BellaCiao is a new, highly customized dropper/implant tied to Charming Kitten (APТ35/Mint Sandstorm/PHOSPHORUS) with victim-specific data embedded in samples.
- The malware uses a unique per-victim data model, including country folders, specially crafted subdomains, and victim-specific public IPs to guide C2.
-
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The exact initial infection vector is unknown, but we expect Microsoft Exchange exploit chain (like ProxyShell/ProxyNotShell/OWASSRF) or similar software vulnerability. “The exact initial infection vector is unknown, but we expect Microsoft Exchange exploit chain (like ProxyShell/ProxyNotShell/OWASSRF) or similar software vulnerability.”
- [T1059.001] PowerShell – The PowerShell scripts implement an HTTP server for executing commands; “The PowerShell script implements the HTTP server for executing commands.” and the BellaCiao dropper uses PowerShell-based components and Plink for reverse proxy.
- [T1090] Proxy – Reverse proxy/port forwarding usage to reach the C2; “The PowerShell scripts executes the Plink tool for establishing a reverse proxy connection to the C2 to enable interaction with the PowerShell web server.”
- [T1036] Masquerading – New service names mimic legitimate Exchange components to blend in; “Legitimate process names specific to Microsoft Exchange server were used to blend in.”
- [T1543.003] Create or Modify System Process: Windows Service – A new service instance is created to establish persistence; “sc create “Microsoft Exchange Services Health” … start= auto” and “sc start “Microsoft Exchange Services Health””
- [T1505.003] Web Shell – The dropped .aspx webshell supports 3 operations: Upload, Download, Command execution; “The dropped .aspx webshell supports 3 operations: Upload; Download; Command execution.”
- [T1027] Obfuscated/Compressed Files and Information – The payload delivered by BellaCiao is hardcoded into the executable as malformed base64 strings and dumped when requested; “not downloaded but hardcoded into the executable as malformed base64 strings and dumped when requested.”
- [T1105] Ingress Tool Transfer – BellaCiao functions as a dropper to deliver other payloads and tools; “The BellaCiao is a dropper malware – it is designed to deliver other malware payloads onto a victim’s computer system, based on instructions from C2 server.”
- [T1071.004] Application Layer Protocol: DNS – The C2 channel uses per-victim DNS lookups and IP comparison to receive instructions; “A DNS request is performed every 24 hours to resolve a subdomain (hardcoded string unique for each victim) … The code compares a resolved IP address returned by a DNS server … with a hardcoded IP address.”
Indicators of Compromise
- [File] Path – C:ProgramDataMicrosoftDRMSJavaUpdateServices.exe; C:ProgramDataMicrosoftDiagnosticMicrosoftExchangeDiagnosticServices.exe; C:ProgramDataMicrosoftDiagnosticMicrosoftExchangeServicesLog.exe
- [Hash] MD5 – 4812449f7fad62162ba8c4179d5d45d7, 3fbea74b92f41809f46145f480782ef9
- [Domain] mail-updateservice.info, msn-center.uk, msn-service.co, twittsupport.com, mailupdate.info, maill-support.com
- [IP] 88.80.148.162
- [URL] http://188.165.174.199:18080/index.aspx, http://188.165.174.199:18080/favico.ico
Read more: https://businessinsights.bitdefender.com/unpacking-bellaciao-a-closer-look-at-irans-latest-malware