Iran’s Charming Kitten Utilizes “BellaCiao” Novel Malware

The Iranian nation-state affiliated group, Charming Kitten, is actively targeting as-of-yet unidentified victims across the U.S., Europe, the Middle East, and India using a new malware named BellaCiao. Associated with the Islamic Revolutionary Guard Corps (IRGC), Charming Kitten has a history of infiltrating systems in various industries.

Romanian cybersecurity experts, Bitdefender Labs, identified BellaCiao, which they called a “personalized dropper” malware. BellaCiao is designed to deploy further payloads onto a target device, following commands from a DNS server under the attackers’ control. The attack chain, depending on the resolved IP address, can result in the deployment of a web shell or a Plink tool, both offering backdoor features.

Image originally from a report by Bitdefender Labs

The initial intrusion method remains uncertain, but may involve exploiting vulnerabilities in internet-exposed applications like Microsoft Exchange Server or Zoho ManageEngine (an Indian-made IT management software). After breaching the system, the attackers attempt to disable Microsoft Defender and maintain control through a service instance.

The Charming Kitten group, also known as APT35, Cobalt Illusion, Educated Manticore, ITG18, Mint Sandstorm, TA453, and Yellow Garuda, has been linked to retaliatory attacks on U.S. critical infrastructure entities between late 2021 and mid-2022 using bespoke malware. Furthermore, Check Point recently disclosed the group’s use of an updated PowerLess implant to target organizations in Israel with Iraq-themed phishing lures.

Be sure to read Bitdefender Labs‘ full report and forensic analysis of BellaCiao.