BellaCiao Showcases How Irans Threat Groups Are Modernizing Their Malware

  /     /     /  
Publicated : 23/11/2024   Category : security


BellaCiao Showcases How Irans Threat Groups Are Modernizing Their Malware


The dropper is being used in a Charming Kitten APT campaign that has hit organizations in multiple countries.



A new malware strain that has been landing on systems belonging to organizations in the US, Europe, Turkey, and India has provided another indication of how Irans state-backed cyber-threat groups have been systematically modernizing their arsenals in recent years.
The malware, dubbed BellaCiao, is a dropper that Irans Charming Kitten advanced persistent threat (APT) group has been using in a highly targeted manner in recent months to gain and maintain unobtrusive initial access on target systems.
Zugec says the manner in which BellaCiao interacts with the C2 server and receives command from it is also unique. The communication between implant and C2 infrastructure is based on DNS name resolution, he explains. There is no active communication that is detectable between the implant and the malicious C2 infrastructure. [Infected hosts] asks Internet servers for a DNS name resolution, and based on the format of returned IP address, decides which action to take. The format of each segment of IP address — or octet — specifies further instructions to the malware such as location where to drop stolen information, Zugec says.
Zugec likens the manner in which BellaCio uses DNS information to retrieve C2 instruction to how someone might convey specific information to another person via a phone number. When an individual looks up a specific name in the phone book, the associated telephone number could be code for something else. In this analogy, country code can tell you the action to execute, area code tells you the malware to deploy, and phone number specifies the location where to deploy it. There is never any direct contact between C2 and the agent/implant. The approach makes it hard for defenders to spot the activity. Our hypothesis is that the aim of BellaCiao is to evade detection during the period between the initial infiltration and the actual commencement of the attack, Zugec says.
DNS-based attacks themselves are not completely new, Zugec says, pointing to techniques like DNS tunneling and the use of domain generation algorithms in attacks. But the techniques involve active use of DNS, which makes it possible for a defender to detect malicious intent. With BellaCiao, the usage is completely passive, he says.
Charming Kitten (aka APT35 and Phosphorous), is a state-backed Iranian cyber threat group that has been operational since at least 2014. The threat actor has been associated with numerous sophisticated spear-phishing attacks against targets that have included government agencies, journalists, think tanks, and academic institutions. One of its primary missions has been to collect information on people and entities of interest to the Iranian government. Security researchers have also associated Charming Kitten with
credential harvesting
and malware distribution campaigns. Last year, Proofpoint identified the group as even using
phishing lures in kinetic attacks
— such as attempted kidnapping.
Charming Kitten is among several threat groups that have been upgrading tactics and their cyber arsenals in support of Iranian government objectives since mid-2021 after Ebrahim Raisi replaced the more moderate Hassan Rouhani as the president of Iran. After a transition of power in 2021, the [Islamic Revolutionary Guards Corps] and associated APT groups adopted a more aggressive and confrontational approach and demonstrated a willingness to use force to achieve its objectives, Bitdefender said in its report this week.
One manifestation of the new approach is the increasingly quick weaponization of newly disclosed exploits and proof of concept code, by Iranian state-sponsored actors and financially motivated threat groups. It is premature to discuss the motivations of Iranian state-sponsored groups following the power transition in 2021, Zugec says. [But] these groups are enhancing their attack strategies and refining their tactics, techniques, and procedures.
Ransomware attacks continues to be common method among Iranian groups for monetary gain and for causing disruptions. But Bitdefender has also observed a pattern of sustained involvement by Iranian groups in some campaigns, suggesting long-term objectives. It is quite possible that these threat actors are employing a trial-and-error approach to test various techniques, Zugec notes, in order to determine the most effective modus operandi for their operations.

Last News

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
BellaCiao Showcases How Irans Threat Groups Are Modernizing Their Malware