Bellaciao

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

"BellaCiao" is a .NET-based malware linked to the Iran-sponsored group known as Charming Kitten (also referred to as Newsbeef and APT35). First observed in use since at least November 2022, this malicious script dropper has targeted systems in Afghanistan, Austria, Israel, and Turkey. Likely exploiting vulnerabilities on internet-facing servers for deployment, BellaCiao interacts with an actor-controlled server via a DNS resolution request for a target-specific domain. The malware's design is believed to aid in evading detection during the period between initial infiltration and the commencement of the attack. On April 26, 2023, a third party publicly associated BellaCiao with Charming Kitten. This implant-dropper communicates with its command-and-control server over DNS using a custom communication channel implemented by the attackers. In deciding when to drop the webshell, which directory to use, and what name to give it, BellaCiao queries this server. Interestingly, the webshell is not downloaded from an external server; instead, it is encoded into the BellaCiao executable itself in the form of malformed base64 strings. Despite originating from Iran, BellaCiao has been utilized by threat actors from other countries such as North Korea (Group123, Ricochet Chollima, APT37), specifically targeting South Korea. The malware has been delivered through various file types including ZIP, DOC, ISO, LNK, BAT, EXE, and VBS files. It has also been associated with other malware types like ROKRAT, Amadey, and GOLDBACKDOOR. Additionally, the threat actors have abused several cloud services like pCloud, Yandex Cloud, OneDrive, and Hangul Word Processor, and software protection tools like Themida to further their malicious activities.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Dropper

Malware

Implant

Proxy

Iis

Apt

Infiltration

Bitdefender

Exploits

Webshell

Backdoor

Malware Impl...

Payload

Malware Drop...

Mitre

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Charming Kitten	Unspecified	4	Charming Kitten, an Iranian Advanced Persistent Threat (APT) group, also known as ITG18, Phosphorous, and TA453, is a significant cybersecurity threat. This threat actor has been associated with numerous malicious activities, exhibiting advanced and sophisticated social-engineering efforts. The grou
APT35	Unspecified	2	APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage group. The group focuses on long-term, resource-intensive operations to collect strategic intelligence. They primarily target sectors in the U.S., Western Europe, and the
Newsbeef	Unspecified	1	None

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Proxyshell	Unspecified	1	ProxyShell is a critical vulnerability affecting Microsoft Exchange email servers. Identified as CVE-2021-34473, it is a flaw in software design or implementation that can be exploited by attackers to gain unauthorized access to systems. The vulnerability was actively exploited by threat actors, cau
Owassrf	Unspecified	1	OWASSRF is a software vulnerability that presents a significant security risk to Microsoft Exchange Server systems. It's an exploit method that bypasses ProxyNotShell vulnerability mitigations, allowing for remote code execution on vulnerable servers through Outlook Web Access. This vulnerability ha

Source Document References

Information about the Bellaciao Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	9 months ago	APT trends report Q3 2023
CERT-EU	a year ago	APT trends report Q2 2023 – GIXtools
Securelist	a year ago	APT trends report Q2 2023
CSO Online	a year ago	Iranian cyberspies deploy new malware implant on Microsoft Exchange Servers
Securityaffairs	a year ago	Charming Kitten used a new BellaCiao malware in recent wave of attacks
CERT-EU	a year ago	Charming Kitten targets critical infrastructure in US and elsewhere with BellaCiao malware
DARKReading	a year ago	'BellaCiao' Showcases How Iran's Threat Groups Are Modernizing Their Malware
CERT-EU	a year ago	Bitdefender met en garde contre de nouvelles attaques APT soutenues par l'Iran – Global Security Mag Online
CERT-EU	a year ago	Anomali Cyber Watch: APT37 Adopts LNK Files, Charming Kitten Uses BellaCiao Implant-Dropper, ViperSoftX Infostealer Unique Byte Remapping Encryption