Charming Kitten, an Iranian state-sponsored APT group, is actively targeting multiple victims in the United States, Europe, the Middle East and India with a novel malware called BellaCiao. Discovered by Bitdefender Labs, the “personalized dropper” is capable of delivering other malware payloads onto a victim machine based on commands received from an actor-controlled server. Microsoft has attributed retaliatory attacks against critical infrastructure entities in the United States to the threat actor. Check Point has also revealed the group’s use of an updated version of the PowerLess implant to target organizations located in Israel.
BellaCiao is noteworthy for performing a DNS request every 24 hours to resolve a subdomain to an IP address which is then parsed to extract commands to be executed on the compromised system. Depending on the resolved IP address, the attack chain leads to the deployment of a web shell, or a Plink tool, which supports the ability to upload and download arbitrary files as well as run commands. The attacks are assessed to be in the second stage after opportunistic attacks, wherein BellaCiao is customized and deployed against carefully selected victims of interest. To protect against modern attacks, Bitdefender recommends implementing a defense-in-depth architecture, starting with reducing the attack surface and prompt patching of newly discovered vulnerabilities.
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net, or you can try yourself using check.website.
Source: Hackernews