'BellaCiao' Malware Updated and Deployed by Iranian APT

  |  Source: 
Critical Infrastructure

'BellaCiao' Malware Updated and Deployed by Iranian APT

Category: Threat Actor Activity | Industries: Critical Infrastructure, Government, Media | Level: Tactical | Source: Bitdefender

The Iranian state-sponsored threat group Magic Hound (also known as APT35, Charming Kitten, Phosphorus, and Mint Sandstorm) has recently been observed deploying an updated variant of their 'BellaCiao' malware against organizations across the United States, Europe, the Middle East, and Asia. Suspected to be run by Iran's Islamic Revolutionary Guard Corps, Magic Hound has demonstrated proficiency in social engineering and phishing tactics and has shown a particular interest in exploiting vulnerabilities in public-facing applications, such as Log4Shell and Microsoft Exchange (ProxyLogon, ProxyShell, OWASSRF). Recent reports by Bitdefender researchers have uncovered the group's tactics, techniques, and procedures (TTPs) used in their campaigns, to their malware dropper BellaCiao, which was named after an Italian folk song associated with resistance fighting.

After establishing a foothold in the compromised environment, the operators used PowerShell to disable Microsoft Defender and create a new service for persistence. This allowed them to proceed unimpeded from security monitoring and maintain access to the system. Multiple malware were dropped onto the compromised environment including IIS backdoors, the BellaCiao executable, and web shells. The BellaCiao dropper malware was found to download a PowerShell script, executing a tool called Plink also downloaded by the malware. To achieve their objectives of espionage, data theft, and ransomware, among others, the operators may drop additional malware. Magic Hound's campaigns are categorized as highly sophisticated and active, with Microsoft reporting their activities on April 18th, 2023, and highlighting their increased adoption of zero-day vulnerabilities. Magic Hound operators, who have a history of targeting political individuals, media members, and journalists by impersonating well-known figures, were recently reported by Microsoft to be focusing on critical infrastructure organizations.

Anvilogic Scenario:

  • System Monitoring Impaired for Service Mod & Tunnel/Execution

Anvilogic Use Cases:

  • Windows Defender Disabled Detection
  • Potential Web Shell
  • Tunneling Process Created

Get trending threats published weekly by the Anvilogic team.

Sign Up Now