Cybersecurity researchers from Bitdefender Labs have uncovered a new malicious program known as Bellaciao being used by the Charming Kitten APT group, supported by Iran, to target victims across the USA, Europe, the Middle East, and India. Bellaciao is described as a “personalized dropper” and is designed to deliver beneficial loads to a victim’s computer using commands from two servers. Bitdefender Labs notes that each delivered sample has been tied to a specific victim and contains rigidly encoded information, including subdomains, IP addresses, and company names.
Adapted malicious software is difficult to detect due to its unique code, making it an effective tool for cybercriminals. The exact vector of attacks remains unknown, but it is assumed that vulnerabilities in Microsoft Exchange Server or Zoho Manageengine were exploited to penetrate systems. Once the attackers gain access, they disable Microsoft Defender using PowerShell commands and set up persistence on the node through the Service Instance.
The Charming Kitten APT group also loads two Modules of Internet Information Services capable of processing incoming instructions and extracting accounting data. Bellaciao stands out from other malware in that it performs a DNS request every 24 hours to convert subdomains to IP addresses, which are then analyzed to extract commands for the compromised system.
The IP address communicates with the attacker’s DNS server, sending harmful rigidly encoded instructions through a fake IP address that mimics the victim’s real IP address. This process is key to delivering additional malware using these instructions instead of traditional means. Depending on the IP address, the attack chain could lead to the deployment of a web-skeleton that allows for downloading and executing arbitrary files or commands.
A second version of Bellaciao has been spotted that replaces the web shell with a PLINK tool which connects to remote servers and implements backdoor functions. The Charming Kitten APT group has successfully targeted a range of small companies and industries, making Bellaciao an effective tool for compromising poorly-secured systems with outdated software and weak passwords.