Bellaciao

"BellaCiao" is a .NET-based malware linked to the Iran-sponsored group known as Charming Kitten (also referred to as Newsbeef and APT35). First observed in use since at least November 2022, this malicious script dropper has targeted systems in Afghanistan, Austria, Israel, and Turkey. Likely exploiting vulnerabilities on internet-facing servers for deployment, BellaCiao interacts with an actor-controlled server via a DNS resolution request for a target-specific domain. The malware's design is believed to aid in evading detection during the period between initial infiltration and the commencement of the attack. On April 26, 2023, a third party publicly associated BellaCiao with Charming Kitten. This implant-dropper communicates with its command-and-control server over DNS using a custom communication channel implemented by the attackers. In deciding when to drop the webshell, which directory to use, and what name to give it, BellaCiao queries this server. Interestingly, the webshell is not downloaded from an external server; instead, it is encoded into the BellaCiao executable itself in the form of malformed base64 strings. Despite originating from Iran, BellaCiao has been utilized by threat actors from other countries such as North Korea (Group123, Ricochet Chollima, APT37), specifically targeting South Korea. The malware has been delivered through various file types including ZIP, DOC, ISO, LNK, BAT, EXE, and VBS files. It has also been associated with other malware types like ROKRAT, Amadey, and GOLDBACKDOOR. Additionally, the threat actors have abused several cloud services like pCloud, Yandex Cloud, OneDrive, and Hangul Word Processor, and software protection tools like Themida to further their malicious activities.