Share this article on:
Security researchers have uncovered a new malware tool in the arsenal of an infamous Iranian hacking group.
The malware is being used by the Charming Kitten group, also known as Mint Sandstorm, PHOSPHORUS, and ITG18, among others, or under the more technical moniker of either Advanced Persistent Threat 35 or 42. It’s thought to be a state-sponsored group, linked to Iran’s Islamic Revolutionary Guard Corps.
The group has begun using a new malware dropper called BellaCiao by its creators — a dropper that is hard coded for each of its victims.
Researchers at Bitdefender discovered the campaign and have found a number of infected targets in the wild.
While the initial attack vector remains unclear, it is believed to be a Microsoft Exchange exploit — Exchange servers were certainly the main targets of the group.
Once deployed, BellaCiao first runs a PowerShell command to disable Windows Defender, before establishing persistence on a machine — by masquerading under the names of a number of legitimate Exchange processes.
The next step sets up two IIS-based backdoors for potential credential theft, looking for passwords and other identifying information. Finally, a custom executable is installed, which when instructed to by the threat actor’s C2 infrastructure, delivers further malware payloads via what appears to be valid DNS requests, however, the IP addresses looked up are actually coded to tell the malware what to download and where to install it on target computers.
At this point, Charming Kitten can download and upload files, upload weblogs, and run further commands and scripts.
Analysis of the code by Bitdefender reveals a well-organised campaign, with various countries listed by folder names, and company and subdomain details coded in.
“This malware is tailored to suit individual targets and exhibits a higher level of complexity, evidenced by a unique communication approach with its command-and-control (C2) infrastructure,” said Martin Zugec, technical solutions director at Bitdefender, in a blog post.
“The name used by malware developers is BellaCiao, a reference to the Italian folk song about resistance fighting. We have identified multiple victims in the United States and Europe, but also in the Middle East (Turkey), or India.”
The Charming Kitten group has been active since at least 2014, and is known to take advantage of known vulnerabilities with pre-existing proof-of-concept exploits, such as the Log4Shell vulnerability. While less sophisticated groups rely on more scattershot methods to find and exploit network vulnerabilities, Charming Kitten is being very specific in its targeting.
“More sophisticated threat actors, including Charming Kitten, are trying to stay ahead of defenders by using custom tools to evade detection,” Zugec said. “Custom-developed malware, also known as “tailored” malware, is generally harder to detect because it is specifically crafted to evade detection and contains unique code.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.