Attacks using the BellaCiao malware dropper seem to be customized for specific targets. Credit: Skorzewiak/Shutterstock A cyberespionage group believed to be associated with the Iranian government has been infecting Microsoft Exchange Servers with a new malware implant dubbed BellaCiao that acts as a dropper for additional payloads. The malware uses DNS queries to receive commands from attackers encoded into IP addresses. According to researchers from Bitdefender, the attackers appear to customize their attacks for each particular victim including the malware binary, which contains hardcoded information such as company name, custom subdomains and IP addresses. Debugging information and file paths from compilation that were left inside the executable suggest the attackers are organizing their victims into folders by country code, such as IL (Israel), TR (Turkey), AT (Austria), IN (India), or IT (Italy).The group behind the malware is known in the security industry as Charming Kitten, APT35, or Phosphorus and is believed to be a hacking team operated by the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian military. Microsoft recently reported that since late 2021 Charming Kitten has been targeting US critical infrastructure including seaports, energy companies, transit systems, and a major utility and gas entity. The group is also known for frequently updating and expanding its malware arsenal with custom tools. While its preferred method of attack is highly targeted and sophisticated phishing that includes impersonation of real individuals, it’s also quick to adopt n-day exploits — exploits for vulnerabilities that have been recently patched. Examples in the past include exploits for Log4Shell and Zoho ManageEngine CVE-2022-47966. BellaCiao malware deployment and operationWhile the Bitdefender attackers are not sure what infection vector is being used to deploy BellaCiao, they found the implant on Exchange Servers, so they suspect attackers are exploiting one of the known Exchange exploits from recent years like ProxyLogon, ProxyShell, ProxyNotShell, or OWASSRF.Once deployed, the implant disables Microsoft Defender using a PowerShell command and creates a new service for persistence called Microsoft Exchange Services Health or Exchange Agent Diagnostic Services. The chosen names are an attempt to blend in with legitimate Exchange-related processes and services. In addition to BellaCiao, the attackers also deployed backdoors that function as modules for Internet Information Services (IIS), the web server that underpins Exchange. One was an open-source IIS backdoor called IIS-Raid and the other is an IIS module written in .NET and used for credential exfiltration.Some samples of BellaCiao are designed to deploy a webshell — a web script that works as a backdoor and allows attackers to issue commands remotely. The webshell is not downloaded from an external server but is encoded into the BellaCiao executable itself in the form of malformed base64 strings.However, to decide when to drop the webshell and in which directory and with what name, the BellaCiao implant queries a command-and-control server over DNS using a custom communication channel that the attackers implemented. The malware will make a DNS request for a subdomain hardcoded in its code every 24 hours. Since the attackers control the DNS for the subdomain, they can return whatever IP address they want and by doing so they actually transmit commands to the malware because BellaCiao has special routines to interpret those IP addresses. An IP address has four numerical values (octets) separated by dots, for example 111.111.111.111. The malware has a hardcoded IP address of the format L1.L2.L3.L4 and then compares it to the IP address received from the DNS request, say R1.R2.R3.R4. If the last octets R4 and L4 match, then the webshell is deployed. If they don’t match, then the webshell is not deployed and if R4 is equal to L4-1 then all traces of the webshell are removed. The other octets R1, R2 and R3 are also used to determine which directory names and file names to choose from a list when deploying the webshell.The webshell monitors for web requests that include a particular string that acts a secret password in the header and provides attackers with three capabilities: file download, file upload and command execution.Other BellaCiao samples were designed to deploy PowerShell scripts that act as a local web server and a command-line connection tool called Plink that’s used to set up a reverse proxy connection to the web server. This allows attackers to execute commands, execute scripts, upload and download files, upload web logs, and more. The Bitdefender report includes a list of indicators of compromise such as domain names, file names and paths, PowerShell script hashes and IP addresses. It does not include file hashes for the BellaCiao samples, because the samples have hardcoded information about the victims. Related content news Spam blocklist SORBS shuts down after over two decades The service was unsustainable but those in the email deliverability industry expressed mixed feelings about the closure. By Evan Schuman Jun 07, 2024 4 mins Email Security Antispam news analysis New RansomHub ransomware gang has ties to older Knight group File encryption malware used by RansomHub appears to be a modified variant of the Knight ransomware, also known as Cyclops. By Lucian Constantin Jun 07, 2024 4 mins Hacker Groups Ransomware Hacking feature Whitelisting explained: How it works and where it fits in a security program Whitelisting locks down computers so only approved applications can run. Is the security worth the administrative hassle? By Josh Fruhlinger and CSO Staff Jun 07, 2024 10 mins Email Security Application Security Data and Information Security interview How Amazon CISO Amy Herzog responds to cybersecurity challenges Amazon CISO for devices and advertising products and services describes how her team works with product and devops teams to ensure products are cybersecure. By David Strom Jun 07, 2024 5 mins Security Practices Vulnerabilities Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe