BellaCiao is a .NET malware family linked to Charming Kitten, which employs webshell-like persistence and covert tunneling capabilities, as analysis of its PDB paths reveals a versioning scheme, providing insights into its development and evolution.
“During an intrusion investigation in Asia, analysts discovered a BellaCiao sample (MD5 14f6c034af7322156e62a6c961106a8c) alongside a suspicious sample on the same machine.
The suspicious sample to be a C++ reimplementation of an older BellaCiao variant, suggesting potential persistence or advanced evasion tactics.” BellaCiao malware utilizes PDB paths with descriptive elements, revealing critical campaign details like target entities and countries.
Consistent presence of “MicrosoftAgentServices” in all PDB paths, with some instances containing appended integers (e.g., “MicrosoftAgentServices2”), suggests a versioning scheme likely employed by the malware developer to track development iterations and maintain a diverse toolkit for their operations.
A series of 10 compilations for a component within the “MicrosoftAgentServices” directory, likely part of a software development project, show a progression from March to June 2023, with multiple compilations occurring within specific subdirectories (“MicrosoftAgentServices”, “MicrosoftAgentServices2”, and “MicrosoftAgentServices3”), suggesting an iterative development process involving code modifications and subsequent rebuilds.
The presence of unique MD5 hashes for each compilation further emphasizes the distinct nature of each build. BellaCPP is a malicious C++ DLL, “adhapl.dll,” found alongside BellaCiao malware.
It resides in C:\Windows\System32 and possesses a single export function, “ServiceMain,” which suggests it functions as a Windows service, likely contributing to the malware’s persistence and operations, mirroring the behavior of previous BellaCiao variants.
The DLL executes a series of steps, including XOR decryption of strings, DLL loading, function resolution, domain generation, DNS record checking, and finally, calling a function with a formatted string argument, likely for remote code execution.
An analysis by Secure List identified a missing DLL likely responsible for creating an SSH tunnel, mirroring the behavior of a .NET-based sample, which established based on DNS resolution and hardcoded values, potentially facilitates remote access, though unlike older samples, no hardcoded webshell was found.
It indicates a strong link between BellaCPP and the Charming Kitten threat actor. which include code similarities to BellaCiao, utilization of actor-associated domains, and consistent domain generation and usage methods observed in previous campaigns.
The presence of an older BellaCiao sample on the infected system further reinforces this attribution. Charming Kitten, a known threat actor, continues to evolve its malware arsenal, including the BellaCiao family.
The BellaCPP sample underscores the criticality of in-depth network and endpoint investigations to identify and mitigate the presence of potentially unknown and undetected malware, enabling persistent threats to remain undetected within compromised environments.
