Charming Kitten, the infamous Iranian nation-state group, is actively targeting victims across Europe, U.S., India and Middle East with a new malware dubbed BellaCiao. The malware is the latest in their expansive custom tool kit.
BellaCiao was discovered by Bitdefender, who describe the malware as a “personalised dropper” that’s capable of delivering malware payloads onto a victim machine based on commands given by a third-party actor-controlled server.
Charming Kitten is an Iranian state-sponsored APT group associated with the Islamic Revolutionary Guard Corps. They’re also known as APT35, Cobalt Illusion, Educated Manticore, ITG18, Mint Sandstorm, TA453, and Yellow Garuda.
Paul Bischoff, Security and Privacy Advocate at Comparitech, noted: “The IRGC are state-sponsored hackers who launch sophisticated attacks against critical and high-value targets. They are not your run-of-the-mill cybercriminals looking for low-hanging fruit.”
The group is known for finding many ways of deploy backdoors in systems, across a wide range of industries.
Bischoff continues: “Antivirus might not help [BellaCiao] because the malware includes hardcoded information about victims, so the signatures are never the same. Instead, organisations need to monitor domain names, file names and paths, PowerShell script hashes, and IP addresses. They also need to update their Microsoft Exchange servers to remove zero days that BellaCiao and other malware can exploit.
Previously, Charming Kitten was attributed by Microsoft to retaliatory attacks aimed at critical national infrastructure (CNI) entities across the U.S. between late 2021 and mid-2022, where bespoke malware including Drokbk, Soldier, and CharmPower, was used.
James McQuiggan, Security Awareness Advocate at KnowBe4 added: “The discovery of Bella Ciao is a reminder of the ever-present threat of cyber attacks and the need for organisations to be vigilant in protecting their systems. Through threat intelligence and hunting, organisations must take proactive measures through vulnerability testing and remediation, patching and staying current on security updates of external facing systems, and educating and assessing their users to keep cybersecurity top of mind and a rich security culture environment.
Bella Ciao’s ability to spread through a network, infecting multiple systems quickly, is particularly dangerous for organiaations with large networks since it can quickly spread and cause widespread damage. Organiaations can implement a defence in-depth strategy with technology capabilities of firewalls, MFA, and patched systems. It’s essential for users to be aware of strange email requests from people they know and have a healthy level of skepticism.”
Last year, the APT group were linked with an Iranian spear-phishing campaign that targeted high-profile Israeli and US officials.