Charming Kitten's New BellaCiao Malware Discovered in Multi-Country Attacks

[silversurfer]

Content source

https://thehackernews.com/2023/04/charming-kittens-new-bellaciao-malware.html

The prolific Iranian nation-state group known as Charming Kitten is actively targeting multiple victims in the U.S., Europe, the Middle East and India with a novel malware dubbed BellaCiao, adding to its ever-expanding list of custom tools.

Discovered by Bitdefender Labs, BellaCiao is a "personalized dropper" that's capable of delivering other malware payloads onto a victim machine based on commands received from an actor-controlled server.

"Each sample collected was tied up to a specific victim and included hard-coded information such as company name, specially crafted subdomains, or associated public IP address," the Romanian cybersecurity firm said in a report shared with The Hacker News.

"Custom-developed malware, also known as 'tailored' malware, is generally harder to detect because it is specifically crafted to evade detection and contains unique code," Bitdefender researcher Martin Zugec noted.

The exact modus operandi used to achieve initial intrusion is currently undetermined, although it's suspected to entail the exploitation of known vulnerabilities in internet-exposed applications like Microsoft Exchange Server or Zoho ManageEngine.

A successful breach is followed by the threat actor attempting to disable Microsoft Defender using a PowerShell command and establishing persistence on the host via a service instance.

Bitdefender said it also observed Charming Kitten downloading two Internet Information Services (IIS) modules capable of processing incoming instructions and exfiltrating credentials.

Charming Kitten's New BellaCiao Malware Discovered in Multi-Country Attacks

Charming Kitten, the notorious Iranian state-sponsored APT group, has targeted multiple victims in the US, Europe, the Middle East and India.

thehackernews.com