Bellaciao

Malware updated a month ago (2024-11-29T13:56:53.982Z)
Download STIX
Preview STIX
"BellaCiao" is a .NET-based malware linked to the Iran-sponsored group known as Charming Kitten (also referred to as Newsbeef and APT35). First observed in use since at least November 2022, this malicious script dropper has targeted systems in Afghanistan, Austria, Israel, and Turkey. Likely exploiting vulnerabilities on internet-facing servers for deployment, BellaCiao interacts with an actor-controlled server via a DNS resolution request for a target-specific domain. The malware's design is believed to aid in evading detection during the period between initial infiltration and the commencement of the attack. On April 26, 2023, a third party publicly associated BellaCiao with Charming Kitten. This implant-dropper communicates with its command-and-control server over DNS using a custom communication channel implemented by the attackers. In deciding when to drop the webshell, which directory to use, and what name to give it, BellaCiao queries this server. Interestingly, the webshell is not downloaded from an external server; instead, it is encoded into the BellaCiao executable itself in the form of malformed base64 strings. Despite originating from Iran, BellaCiao has been utilized by threat actors from other countries such as North Korea (Group123, Ricochet Chollima, APT37), specifically targeting South Korea. The malware has been delivered through various file types including ZIP, DOC, ISO, LNK, BAT, EXE, and VBS files. It has also been associated with other malware types like ROKRAT, Amadey, and GOLDBACKDOOR. Additionally, the threat actors have abused several cloud services like pCloud, Yandex Cloud, OneDrive, and Hangul Word Processor, and software protection tools like Themida to further their malicious activities.
Description last updated: 2024-05-04T16:07:13.408Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Dropper
Webshell
Implant
Apt
Proxy
Iis
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Charming Kitten Threat Actor is associated with Bellaciao. Charming Kitten, also known as APT35 or APT42 among other names, is a threat actor believed to be linked to the Iranian government. The group has been implicated in a series of cyber-attacks against various entities in Brazil, Israel, and the U.A.E., deploying a new backdoor that initiates an infectUnspecified
4
The APT35 Threat Actor is associated with Bellaciao. APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage team. This threat actor conducts long-term, resource-intensive operations to collect strategic and tactical intelligence on behalf of the Islamic Revolutionary Guard CorpUnspecified
2