'BellaCiao' Showcases How Iran's Threat Groups Are Modernizing Their Malware

A new malware strain that has been landing on systems belonging to organizations in the US, Europe, Turkey, and India has provided another indication of how Iran's state-backed cyber-threat groups have been systematically modernizing their arsenals in recent years.

The malware, dubbed "BellaCiao," is a dropper that Iran's Charming Kitten advanced persistent threat (APT) group has been using in a highly targeted manner in recent months to gain and maintain unobtrusive initial access on target systems.

A Highly Customized ThreatResearchers at Bitdefender discovered the new malware when investigating activity related to three other recent malware tools associated with Charming Kitten. Their analysis of the malicious code — summarized in a blog post this week — uncovered a couple of features that set it apart from many other malware samples.One was the specifically targeted nature of the dropper that ended up on each victim's system. The other was BellaCiao's unique and hard-to-detect style of communicating with its command-and-control (C2) server."Each sample we've collected is custom-built for each victim," says Martin Zugec, technical solutions director at Bitdefender. Each sample includes hard-coded information that is specific to the victim organization, such as the company's name, public IP addresses, and specially crafted subdomains.Charming Kitten's apparent intention in making the malware victim-specific is to blend in on host systems and networks, Zugec says. For instance, the subdomains and IP addresses the malware uses in interacting with the C2 are similar to the real domain and public IP addresses of the victim. Bitdefender's analysis of the malware's build information showed its authors had organized victims in different folders with names that indicated the countries in which they were located. The security vendor found that Charming Kitten actors used victim-optimized versions of BellaCiao, even when the target victim was from a noncritical sector.

Unique Approach to Receiving C2 Commands

Zugec says the manner in which BellaCiao interacts with the C2 server and receives command from it is also unique. "The communication between implant and C2 infrastructure is based on DNS name resolution," he explains. There is no active communication that is detectable between the implant and the malicious C2 infrastructure. "[Infected hosts] asks Internet servers for a DNS name resolution, and based on the format of returned IP address, decides which action to take." The format of each segment of IP address — or octet — specifies further instructions to the malware such as location where to drop stolen information, Zugec says.

Zugec likens the manner in which BellaCio uses DNS information to retrieve C2 instruction to how someone might convey specific information to another person via a phone number. When an individual looks up a specific name in the phone book, the associated telephone number could be code for something else. "In this analogy, country code can tell you the action to execute, area code tells you the malware to deploy, and phone number specifies the location where to deploy it. There is never any direct contact between C2 and the agent/implant." The approach makes it hard for defenders to spot the activity. "Our hypothesis is that the aim of BellaCiao is to evade detection during the period between the initial infiltration and the actual commencement of the attack," Zugec says.

DNS-based attacks themselves are not completely new, Zugec says, pointing to techniques like DNS tunneling and the use of domain generation algorithms in attacks. But the techniques involve active use of DNS, which makes it possible for a defender to detect malicious intent. With BellaCiao, the usage is completely passive, he says.

The Face of a More Aggressive Approach

Charming Kitten (aka APT35 and Phosphorous), is a state-backed Iranian cyber threat group that has been operational since at least 2014. The threat actor has been associated with numerous sophisticated spear-phishing attacks against targets that have included government agencies, journalists, think tanks, and academic institutions. One of its primary missions has been to collect information on people and entities of interest to the Iranian government. Security researchers have also associated Charming Kitten with credential harvesting and malware distribution campaigns. Last year, Proofpoint identified the group as even using phishing lures in kinetic attacks — such as attempted kidnapping.

Charming Kitten is among several threat groups that have been upgrading tactics and their cyber arsenals in support of Iranian government objectives since mid-2021 after Ebrahim Raisi replaced the more moderate Hassan Rouhani as the president of Iran. "After a transition of power in 2021, the [Islamic Revolutionary Guards Corps] and associated APT groups adopted a more aggressive and confrontational approach and demonstrated a willingness to use force to achieve its objectives," Bitdefender said in its report this week.

One manifestation of the new approach is the increasingly quick weaponization of newly disclosed exploits and proof of concept code, by Iranian state-sponsored actors and financially motivated threat groups. "It is premature to discuss the motivations of Iranian state-sponsored groups following the power transition in 2021," Zugec says. "[But] these groups are enhancing their attack strategies and refining their tactics, techniques, and procedures."

Ransomware attacks continues to be common method among Iranian groups for monetary gain and for causing disruptions. But Bitdefender has also observed a pattern of sustained involvement by Iranian groups in some campaigns, suggesting long-term objectives. "It is quite possible that these threat actors are employing a trial-and-error approach to test various techniques," Zugec notes, "in order to determine the most effective modus operandi for their operations."