Follow on X RSS Feed
Malware

BellaCPP Expands BellaCiao Capabilities in C++

Cybersec Sentinel

2 min read
BellaCPP Expands BellaCiao Capabilities in C++

Threat Group: Charming Kitten (APT35/APT42)
Threat Type: Dropper Malware
Exploited Vulnerabilities: Potential exploitation of Microsoft Exchange vulnerabilities (e.g., ProxyShell, ProxyNotShell)
Malware Used: BellaCPP
Threat Score: High (8.5/10) – Due to its targeted approach, advanced evasion techniques, and potential impact on critical infrastructure.
Last Threat Observation: December 21, 2024

Overview

BellaCPP is a newly identified variant of the BellaCiao malware, attributed to the Iranian state-sponsored group Charming Kitten, also known as APT35 or APT42. This variant is rewritten in C++, enhancing its complexity and evasion capabilities. First reported on December 20, 2024, BellaCPP is designed to deliver additional malware payloads onto compromised systems based on instructions from its command-and-control (C2) server. Notably, each BellaCPP sample is customized for specific victims, containing hardcoded information such as company names, subdomains, and public IP addresses.

Key Details

  • Delivery Method: Exploitation of vulnerabilities in internet-exposed applications, particularly Microsoft Exchange servers.
  • Target: Organizations across the United States, Europe, the Middle East, and India.
  • Functions:
    • Delivers additional malware payloads based on C2 instructions.
    • Disables security defenses, such as Microsoft Defender.
    • Establishes persistence through masquerading as legitimate services.
    • Employs unique communication methods with C2 infrastructure.
    • Deploys web shells and backdoors for further exploitation.
  • Obfuscation: Utilizes custom-built binaries tailored to individual victims, making detection challenging. Employs unique DNS-based communication to receive instructions passively.

Attack Vectors

BellaCPP primarily targets Microsoft Exchange servers, likely exploiting known vulnerabilities such as ProxyShell or ProxyNotShell. Upon successful exploitation, the malware disables Microsoft Defender using PowerShell commands and establishes persistence by creating new service instances that masquerade as legitimate Exchange services. It further deploys web shells and IIS backdoors to maintain access and facilitate additional malicious activities.

Known Indicators of Compromise (IoCs)

FileHash-MD5

  • 103ce1c5e3fdb122351868949a4ebc77
  • 14f6c034af7322156e62a6c961106a8c
  • 222380fa5a0c1087559abbb6d1a5f889
  • 28d02ea14757fe69214a97e5b6386e95
  • 36b97c500e36d5300821e874452bbcb2
  • 44d8b88c539808bb9a479f98393cf3c7
  • 4c6aa8750dc426f2c676b23b39710903
  • 8ecd457c1ddfbb58afea3e39da2bf17b
  • ac4606a0e10067b00c510fb97b5bd2cc
  • ac6ddd56aa4bf53170807234bc91345a
  • e24b07e2955eb3e98de8b775db00dc68
  • febf2a94bc59011b09568071c52512b5

FileHash-SHA1

  • dccdfc77dd2803b3c5a97af0851efa0aa5bbeeeb

FileHash-SHA256

  • e4e3f09c4257269cef6cfbebc83c8a60376ce5e547080502e3e408a3f9916218

Domain

  • systemupdate[.]info

Mitigation and Prevention

  • User Awareness: Conduct regular training to recognize phishing attempts and suspicious activities.
  • Email Filtering: Implement advanced email filtering to detect and block malicious attachments and links.
  • Antivirus Protection: Ensure up-to-date antivirus solutions are in place and regularly scan systems for malware.
  • Two-Factor Authentication (2FA): Enforce 2FA to add an extra layer of security to user accounts.
  • Monitor Logs: Regularly review system and network logs for unusual activities, such as unexpected service creations or PowerShell executions.
  • Regular Updates: Promptly apply security patches and updates to all software, especially internet-exposed applications like Microsoft Exchange.

Risk Assessment

BellaCPP poses a significant threat due to its targeted nature and advanced evasion techniques. Its ability to disable security defenses, establish persistent access, and deliver additional malware payloads tailored to specific victims increases the potential for data theft, espionage, and disruption of critical services. Organizations, particularly those using Microsoft Exchange servers, should assess their exposure to known vulnerabilities and ensure robust security measures are in place.

Conclusion

The emergence of BellaCPP underscores the evolving sophistication of threat actors like Charming Kitten. Organizations must remain vigilant, ensuring that systems are up-to-date, security defenses are robust, and users are educated about potential threats. Implementing a defense-in-depth strategy and regularly reviewing security postures will aid in mitigating the risks associated with such advanced malware.

Sources: