'BellaCiao' Showcases How Iran's Threat Groups Are Modernizing Their Malware

The dropper is being used in a Charming Kitten APT campaign that has hit organizations in multiple countries.

5 Min Read
Hacking Iran concept with hand wearing black leather glove pressing enter key with flag overlaid
Shutterstock: DD Images

A new malware strain that has been landing on systems belonging to organizations in the US, Europe, Turkey, and India has provided another indication of how Iran's state-backed cyber-threat groups have been systematically modernizing their arsenals in recent years.

The malware, dubbed "BellaCiao," is a dropper that Iran's Charming Kitten advanced persistent threat (APT) group has been using in a highly targeted manner in recent months to gain and maintain unobtrusive initial access on target systems.

Unique Approach to Receiving C2 Commands

Zugec says the manner in which BellaCiao interacts with the C2 server and receives command from it is also unique. "The communication between implant and C2 infrastructure is based on DNS name resolution," he explains. There is no active communication that is detectable between the implant and the malicious C2 infrastructure. "[Infected hosts] asks Internet servers for a DNS name resolution, and based on the format of returned IP address, decides which action to take." The format of each segment of IP address — or octet — specifies further instructions to the malware such as location where to drop stolen information, Zugec says.

Zugec likens the manner in which BellaCio uses DNS information to retrieve C2 instruction to how someone might convey specific information to another person via a phone number. When an individual looks up a specific name in the phone book, the associated telephone number could be code for something else. "In this analogy, country code can tell you the action to execute, area code tells you the malware to deploy, and phone number specifies the location where to deploy it. There is never any direct contact between C2 and the agent/implant." The approach makes it hard for defenders to spot the activity. "Our hypothesis is that the aim of BellaCiao is to evade detection during the period between the initial infiltration and the actual commencement of the attack," Zugec says.

DNS-based attacks themselves are not completely new, Zugec says, pointing to techniques like DNS tunneling and the use of domain generation algorithms in attacks. But the techniques involve active use of DNS, which makes it possible for a defender to detect malicious intent. With BellaCiao, the usage is completely passive, he says.

The Face of a More Aggressive Approach

Charming Kitten (aka APT35 and Phosphorous), is a state-backed Iranian cyber threat group that has been operational since at least 2014. The threat actor has been associated with numerous sophisticated spear-phishing attacks against targets that have included government agencies, journalists, think tanks, and academic institutions. One of its primary missions has been to collect information on people and entities of interest to the Iranian government. Security researchers have also associated Charming Kitten with credential harvesting and malware distribution campaigns. Last year, Proofpoint identified the group as even using phishing lures in kinetic attacks — such as attempted kidnapping.

Charming Kitten is among several threat groups that have been upgrading tactics and their cyber arsenals in support of Iranian government objectives since mid-2021 after Ebrahim Raisi replaced the more moderate Hassan Rouhani as the president of Iran. "After a transition of power in 2021, the [Islamic Revolutionary Guards Corps] and associated APT groups adopted a more aggressive and confrontational approach and demonstrated a willingness to use force to achieve its objectives," Bitdefender said in its report this week.

One manifestation of the new approach is the increasingly quick weaponization of newly disclosed exploits and proof of concept code, by Iranian state-sponsored actors and financially motivated threat groups. "It is premature to discuss the motivations of Iranian state-sponsored groups following the power transition in 2021," Zugec says. "[But] these groups are enhancing their attack strategies and refining their tactics, techniques, and procedures."

Ransomware attacks continues to be common method among Iranian groups for monetary gain and for causing disruptions. But Bitdefender has also observed a pattern of sustained involvement by Iranian groups in some campaigns, suggesting long-term objectives. "It is quite possible that these threat actors are employing a trial-and-error approach to test various techniques," Zugec notes, "in order to determine the most effective modus operandi for their operations."

About the Author

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights