Notably, the Iranian nation-state hacking group, commonly referred to as Charming Kitten, has been observed employing a C++-based variant of the well-documented malware known as BellaCiao.
Russian cybersecurity firm Kaspersky, identifying the newly discovered model, reported finding the artifact as part of an ongoing investigation into a compromised machine in Asia infected with the BellaCiao malware.
Romanian cybersecurity firm Bitdefender revealed BellaCiao in April 2023, characterizing the malware as a sophisticated dropper capable of deploying additional malicious payloads. Malware has been deployed by a hacking group in coordinated cyber attacks targeting the United States, the Middle East, and India.
It’s another example of the numerous custom-built malware families the actor has created throughout their operational history. Recognized for its affiliation with Iran’s Islamic Revolutionary Guard Corps (IRGC), the superior persistent menace APT group is commonly identified by monikers such as APT35, CALANQUE, Charming Kitten, Charming Cypress, ITG18, Mint Sandstorm (previously known as Phosphorus), Newscaster, TA453, and Yellow Garuda.
While the group’s historic track record involves leveraging software creation to boost confidence and deliver malware, research has identified BellaCiao-linked attacks that exploit known security vulnerabilities in publicly available applications such as Microsoft Exchange Server or Zoho ManageEngine.
“Kaspersky researcher Mert Degirmenci notes that BellaCiao is a .NET-based malware household, offering a unique approach to intrusion by combining the stealthy persistence of an internet shell with the ability to establish covert tunnels.”
A variant of BellaCiao’s C++ implementation, titled “adhapl.dll”, serves as a dynamic link library that replicates the features of its progenitor, incorporating code to load another unidentified DLL (“D3D12_1core.dll”) which appears to facilitate the establishment of an SSH tunnel.
Unique to BellaCPP is the absence of a built-in Internet Shell, which, unlike BellaCiao, does not provide the ability to upload or download files at will, nor execute commands.
“Describing the project from a macroscopic viewpoint, Degirmenci explained that BellaCPP, an extension of the BellaCiao sample set, eliminates online shell latency by leveraging domains previously assigned to actors.”
