Bellaciao

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
"BellaCiao" is a .NET-based malware linked to the Iran-sponsored group known as Charming Kitten (also referred to as Newsbeef and APT35). First observed in use since at least November 2022, this malicious script dropper has targeted systems in Afghanistan, Austria, Israel, and Turkey. Likely exploiting vulnerabilities on internet-facing servers for deployment, BellaCiao interacts with an actor-controlled server via a DNS resolution request for a target-specific domain. The malware's design is believed to aid in evading detection during the period between initial infiltration and the commencement of the attack. On April 26, 2023, a third party publicly associated BellaCiao with Charming Kitten. This implant-dropper communicates with its command-and-control server over DNS using a custom communication channel implemented by the attackers. In deciding when to drop the webshell, which directory to use, and what name to give it, BellaCiao queries this server. Interestingly, the webshell is not downloaded from an external server; instead, it is encoded into the BellaCiao executable itself in the form of malformed base64 strings. Despite originating from Iran, BellaCiao has been utilized by threat actors from other countries such as North Korea (Group123, Ricochet Chollima, APT37), specifically targeting South Korea. The malware has been delivered through various file types including ZIP, DOC, ISO, LNK, BAT, EXE, and VBS files. It has also been associated with other malware types like ROKRAT, Amadey, and GOLDBACKDOOR. Additionally, the threat actors have abused several cloud services like pCloud, Yandex Cloud, OneDrive, and Hangul Word Processor, and software protection tools like Themida to further their malicious activities.
What's your take? (Question 1 of 5)
a059aea5-3291-4979-8d32-5ab8408b6954 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Dropper
Malware
Implant
Iis
Proxy
Apt
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Charming KittenUnspecified
4
Charming Kitten is a threat actor group, believed to be of Iranian origin, known for its advanced and sophisticated cyberattacks. The group has been active in launching attacks against various entities in Brazil, Israel, and the United Arab Emirates using a new backdoor method, as reported by Securi
APT35Unspecified
2
APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage group. The group focuses on long-term, resource-intensive operations to collect strategic intelligence. They primarily target sectors in the U.S., Western Europe, and the
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Bellaciao Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
a year ago
Charming Kitten used a new BellaCiao malware in recent wave of attacks
CSO Online
a year ago
Iranian cyberspies deploy new malware implant on Microsoft Exchange Servers
CERT-EU
a year ago
Bitdefender met en garde contre de nouvelles attaques APT soutenues par l'Iran – Global Security Mag Online
DARKReading
a year ago
'BellaCiao' Showcases How Iran's Threat Groups Are Modernizing Their Malware
CERT-EU
a year ago
Anomali Cyber Watch: APT37 Adopts LNK Files, Charming Kitten Uses BellaCiao Implant-Dropper, ViperSoftX Infostealer Unique Byte Remapping Encryption
CERT-EU
a year ago
Charming Kitten targets critical infrastructure in US and elsewhere with BellaCiao malware
Securelist
10 months ago
APT trends report Q2 2023
CERT-EU
10 months ago
APT trends report Q2 2023 – GIXtools
CERT-EU
7 months ago
APT trends report Q3 2023