BellaCiao Reborn: Iranian Hackers Deploy C++ Version of Malware
The hacker group Charming Kitten continues to advance its malicious software, as evidenced by a recent discovery by Kaspersky Lab researchers: a new variant of BellaCiao, now rewritten in C++.
This sample, dubbed BellaCPP, was found on the same system that had previously been infected with the original .NET-based BellaCiao. Researchers determined that while the new version retains the core functionality of its predecessor, it no longer includes an embedded web shell.
An analysis of the debug path (PDB) revealed that BellaCiao contains metadata capable of identifying the target country and organization. The PDB strings frequently feature the name MicrosoftAgentServices, appended with numerical suffixes to denote versions. This suggests meticulous work by the developers to enhance functionality and improve attack efficiency.
Registered as a DLL file under the name adhapl.dll, BellaCPP exhibits behavior similar to earlier iterations. It employs XOR encryption to decode strings, executes DLL functions, and generates domain names based on specific patterns. If the results of a DNS query match a hardcoded IP address, the malware executes commands, including setting up SSH tunnels.
Similar behavior was observed in earlier versions of BellaCiao; however, BellaCPP introduces a streamlined interaction mechanism, eliminating reliance on a web shell. It is speculated that the missing file, D3D12_1core.dll, plays a role in establishing SSH tunnels, thereby enhancing the resilience of the attacks.
Based on similarities in mechanisms and the use of known domains, experts confidently attribute BellaCPP to Charming Kitten. Furthermore, the presence of both BellaCPP and the original BellaCiao on the same system underscores a strategic approach of deploying modified samples to bypass security defenses.
This incident highlights the critical importance of deep analysis within infected networks, as threat actors are continuously developing new malware variants capable of evading standard security solutions.
