Charming Kitten Deploys New C++ BellaCiao Malware Variant in Cyber Espionage Campaign

The Iranian nation-state hacking group known as Charming Kitten has been observed deploying a new C++ variant of BellaCiao malware, expanding its sophisticated cyber espionage toolkit. Cybersecurity researchers from Kaspersky discovered the new variant, dubbed BellaCPP, during an investigation into a compromised machine in Asia.

BellaCiao, first documented in April 2023, is a .NET-based malware family that combines stealthy persistence with the ability to establish covert communication tunnels. The newly discovered C++ variant represents an evolution of the group's malware development, showcasing the threat actor's continuous improvement of its cyber arsenal.

The BellaCPP sample was found as a DLL file named "adhapl.dll" located in the C:\Windows\System32 directory. Unlike its predecessor, this variant lacks the web shell functionality previously observed in earlier BellaCiao samples. The malware is designed to run as a Windows service, with a single export function named "ServiceMain" that follows a similar operational pattern to previous iterations.

Researchers noted several key characteristics of the new malware variant. It uses XOR encryption to decrypt critical strings, including a path to a specific DLL and function names related to system updates and DNS checks. The malware generates domain names using a specific template, which is consistent with previous BellaCiao samples, potentially used for command and control communications.

The investigation revealed that BellaCPP generates domains following a specific format: <5 random letters>..systemupdate[.]info. This domain generation technique, along with the use of previously attributed domains, strongly suggests a connection to the Charming Kitten threat actor.

Kaspersky researchers assess with medium-to-high confidence that BellaCPP is associated with Charming Kitten based on several indicators. These include the use of previously attributed domains, similar domain generation techniques, and the presence of older BellaCiao samples on the infected machine.

The discovery highlights the sophisticated and evolving nature of the Charming Kitten threat group, which is affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC). The group has been known for developing bespoke malware and conducting cyber espionage campaigns targeting various regions, including the United States, the Middle East, and India.

While the full capabilities of the BellaCPP variant remain partially obscured due to difficulties in retrieving a critical DLL file, researchers believe the malware is likely capable of establishing an SSH tunnel for remote access or data exfiltration. This continues the group's pattern of developing sophisticated tools for cyber espionage purposes.

The findings underscore the importance of comprehensive network investigations and robust cybersecurity measures. As threat actors like Charming Kitten continue to refine their malware, organizations must remain vigilant and adaptive in their defense strategies.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.

You may also like these articles:

• North Korean Hackers Embed Malware in macOS Flutter Apps, Targets Cryptocurrency Users

• Lazarus Group Unleashes New 'RustyAttr' Malware Targeting macOS Systems

• Chinese EagleMsgSpy Surveillance Tool Targets Mobile Devices Across Mainland China

• Iran Linked Hackers Deploy Sophisticated IOCONTROL Malware Targeting Critical Infrastructure

• Microsoft Unveils Advanced North Korean and Chinese Cyber Operations at CYBERWARCON 2024