| Category | Details |
|---|---|
| Threat Actors | – Charming Kitten |
| Campaign Overview | – BellaCiao malware family first surfaced in April 2023 – Combines stealthy persistence (webshell) with covert tunnel creation – New variant, BellaCPP, observed in Asia in 2023 |
| Target Regions | – Asia (specific computer infected) – Entities identified via PDB paths indicating target entity and country |
| Methodology | – Use of descriptive PDB paths for versioning and targeting – XOR decryption for DLL loading – Domain generation for covert tunneling – Exploiting Windows services (e.g., running malware as a service) |
| Products Targeted | – Windows systems (e.g., DLLs in C:\Windows\System32) |
| Malware Reference | – BellaCiao (.NET-based malware family) – BellaCPP (C++ variant) |
| Tools Used | – PDB path analysis for tracking – Encrypted DLLs (e.g., D3D12_1core.dll)– Domain generation: <5 random letters><target identifier>.<country code>.systemupdate[.]info |
| Vulnerabilities Exploited | – Leveraging persistence through Windows services – SSH tunneling for covert communication |
| TTPs | – Iterative malware development with versioning (MicrosoftAgentServices versions) – Covert tunneling via DNS and SSH – Usage of descriptive PDB paths for operational insights |
| Attribution | – High confidence attributed to Charming Kitten – Links to previous domains and infection behavior from older BellaCiao samples |
| Recommendations | – Monitor for unusual domain activity and service behavior – Conduct deep investigations to identify undetected samples – Update detection rules to cover evolving malware family |
| Source | Securelist by Kaspersky |
Read full article: https://securelist.com/bellacpp-cpp-version-of-bellaciao/115087/
The above summary has been generated by an AI language model
Leave a Reply