An intrusion in Asia involving the BellaCiao .NET malware has been uncovered following an investigation that provided valuable insights into its version and development timeline. The initial sample (MD5 14f6c034af7322156e62a6c961106a8c) shed light on the tactics, techniques, and procedures employed by the attackers.
A second suspicious sample on the same machine exhibited similar functionality to BellaCiao but was a C++ reimplementation of an older version, indicating a potential evolution in the attacker’s methods. This suggests that the malicious actors behind the intrusion are adapting and refining their tools to evade detection and achieve their objectives.
One notable aspect of BellaCiao is its use of PDB paths with descriptive elements, which reveal critical campaign details such as the targeted entity and country. Historical samples consistently contain the string “MicrosoftAgentServices” within these PDB paths, indicating a pattern in the malware’s development.
Some samples also feature numerical suffixes like “MicrosoftAgentServices2” or “MicrosoftAgentServices3,” implying versioning practices by the malware developer. This suggests that the attackers are actively updating and enhancing the malware to stay ahead of defenses and effectively carry out their operations.
The compilation history of a software component associated with “MicrosoftAgentServices” project provides further insights into the malware’s development. The transition from early, less structured samples to versioned directories like “MicrosoftAgentServices2” and “MicrosoftAgentServices3” indicates a more organized and iterative development process.
BellaCPP, a C++-based DLL linked to BellaCiao, installs itself as a Windows service and carries out various functions related to system updates and DNS checks. The malware generates domain names based on templates and queries specific IP addresses, likely for command and control communication.
Despite difficulties in retrieving the D3D12_1core.dll file, analysis suggests that it establishes an SSH tunnel, enabling remote access or data exfiltration. The C++ sample, which lacks a hardcoded webshell, aligns with previous BellaCiao variants, indicating shared functionality and potential origins.
Kaspersky’s analysis of the BellaCPP sample points to a connection with the Charming Kitten threat actor, known for using similar domain generation techniques and previously attributed domains. This underscores the importance of thorough network investigations to detect and mitigate undetected malware variants deployed by sophisticated adversaries.
In conclusion, the ongoing evolution of BellaCiao and its associated variants highlights the need for robust cybersecurity measures to protect against increasingly sophisticated threats like Charming Kitten. Organizations must stay vigilant and continuously enhance their defenses to safeguard against malicious actors in the ever-changing cybersecurity landscape.