Full Report
The Iranian nation-state hacking group known as Charming Kitten has been observed deploying a C++ variant of a known malware called BellaCiao. Russian cybersecurity company Kaspersky, which dubbed the new version BellaCPP, said it discovered the artifact as part of a "recent" investigation into a compromised machine in Asia that was also infected with the BellaCiao malware. BellaCiao was first
Analysis Summary
# Tool/Technique: BellaCPP (C++ Variant of BellaCiao)
## Overview
BellaCPP is a newly variant of the BellaCiao malware family, re-written in C++ and deployed by the Iranian threat group Charming Kitten. It maintains functionality similar to its .NET predecessor but appears to lack the web shell component, focusing instead on establishing covert tunneling capabilities.
## Technical Details
- Type: Malware family (Variant)
- Platform: Likely Windows (implied by DLL usage, target environment compatibility)
- Capabilities: DLL execution, loading secondary payloads, establishing SSH tunnels. Lacks web shell functionality present in the original BellaCiao.
- First Seen: Recent, following the initial documentation of BellaCiao in April 2023.
## MITRE ATT&CK Mapping
*Note: Direct mappings are inferred based on BellaCiao capabilities (dropper, tunnel) and general malware behavior.*
- TA0005 - Defense Evasion
- T1564.003 - Hide Artifacts: Hidden Files and Directories (Implied by custom nature)
- TA0011 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (Implied by SSH tunneling for C2)
## Functionality
### Core Capabilities
- DLL file execution ("adhapl.dll").
- Loading an additional malicious DLL ("D3D12\_1core.dll").
- Establishing an SSH tunnel.
### Advanced Features
- Rewritten in C++ offering potential performance/stealth benefits over the original .NET version.
- Focus on covert tunneling mechanisms, suggesting remote command execution and data exfiltration capabilities through the tunnel.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the summary text]
- File Names: `adhapl.dll`, `D3D12_1core.dll`
- Registry Keys: [Not explicitly provided in the summary text]
- Network Indicators: SSH Tunnel endpoints (C2 infrastructure) [Defanged addresses not provided]
- Behavioral Indicators: Loading of unknown DLLs by a compromised service/application, establishment of outbound SSH connections to external hosts.
## Associated Threat Actors
- Charming Kitten (APT35, CALANQUE, Mint Sandstorm, TA453, etc.)
## Detection Methods
- Signature-based detection: Signatures targeting the specific file names (`adhapl.dll`, `D3D12_1core.dll`).
- Behavioral detection: Monitoring for dynamic loading of unknown DLLs, particularly in unusual process contexts, and the initiation of SSH tunnels.
- YARA rules: [Not explicitly provided in the summary text]
## Mitigation Strategies
- Patch known security flaws leveraged for initial access, specifically mentioning Microsoft Exchange Server and Zoho ManageEngine vulnerabilities.
- Implement application control to restrict unauthorized dynamic DLL loading.
- Network monitoring/security solutions should flag unusual outbound SSH traffic originating from client or server processes that do not typically initiate tunnels.
## Related Tools/Techniques
- BellaCiao (.NET based predecessor)
- Web Shells (Functionality deliberately excluded in the BellaCPP variant)