Site icon GIXtools

BellaCPP: Discovering a new BellaCiao variant written in C++

Introduction

BellaCiao is a .NET-based malware family that adds a unique twist to an intrusion, combining the stealthy persistence of a webshell with the power to establish covert tunnels. It surfaced for the first time in late April 2023 and has since been publicly attributed to the APT actor Charming Kitten. One important aspect of the BellaCiao samples is how they exhibit a wealth of information through their respective PDB paths, including a versioning scheme we were able to work out once we analyzed historical records.

Recently, we were investigating an intrusion that involved a BellaCiao sample (MD5 14f6c034af7322156e62a6c961106a8c) on a computer in Asia. Our telemetry indicated another suspicious, and possibly related, sample on the same machine. After further investigation of the sample, it turned out to be a reimplementation of an older BellaCiao version, but written in C++.

BellaCiao: PDB analysis

BellaCiao has very descriptive PDB paths that expose important points related to the campaign, such as the target entity and country. In addition, after analyzing several historical samples, we found that all PDB paths contained the string “MicrosoftAgentServices”. Some of the samples had a single digit appended to the string, as in “MicrosoftAgentServices2” and “MicrosoftAgentServices3”. The use of integers typically indicates versioning employed by the malware developer, likely to differentiate various iterations or updates. These versioning practices may serve the purpose of tracking development and changes in the malware’s capabilities, aiding the APT actor in maintaining a diverse and evolving arsenal to achieve their objectives.

Below are the last 10 samples with their respective compilation times.

md5
Partial PDB
Compiler Timestamp

44D8B88C539808BB9A479F98393CF3C7
MicrosoftAgentServicesMicrosoft
AgentServices
Mon Mar 27 05:26:40
2023

E24B07E2955EB3E98DE8B775DB00DC68
MicrosoftAgentServicesMicrosoft
AgentServices
Wed Apr 12 13:02:04
2023

8ECD457C1DDFBB58AFEA3E39DA2BF17B
MicrosoftAgentServicesMicrosoft
AgentServices
Fri Apr 14 15:29:28
2023

103CE1C5E3FDB122351868949A4EBC77
MicrosoftAgentServicesMicrosoft
AgentServices
Sat Apr 22 18:47:41
2023

28D02EA14757FE69214A97E5B6386E95
MicrosoftAgentServicesMicrosoft
AgentServices
Sun Apr 23 11:33:32
2023

4C6AA8750DC426F2C676B23B39710903
MicrosoftAgentServices2Microsoft
AgentServices
Sat May 06 11:50:21
2023

AC4606A0E10067B00C510FB97B5BD2CC
MicrosoftAgentServices2Microsoft
AgentServices
Sun Jun 11 08:15:29
2023

AC6DDD56AA4BF53170807234BC91345A
MicrosoftAgentServices3Microsoft
AgentServices
Tue Jun 27 21:25:29
2023

36B97C500E36D5300821E874452BBCB2
MicrosoftAgentServices3Microsoft
AgentServices
Tue Jun 27 22:44:06
2023

FEBF2A94BC59011B09568071C52512B5
MicrosoftAgentServices3Microsoft
AgentServices
Tue Jun 27 23:14:44
2023

It is worth noting that the first known BellaCiao samples didn’t feature this versioning system, which only appeared later. This could be attributed to the project’s gradual maturation over time, resulting in improved development quality and refined capabilities.

BellaCPP

MD5
222380fa5a0c1087559abbb6d1a5f889

SHA1
dccdfc77dd2803b3c5a97af0851efa0aa5bbeeeb

SHA256
e4e3f09c4257269cef6cfbebc83c8a60376ce5e547080502e3e408a3f9916218

File type
PE32+ executable (DLL) (GUI) x86-64, for MS Windows, 6 sections

File size
17.50 KB

File name
adhapl.dll

BellaCPP was found on the same machine infected with the .NET-based BellaCiao malware. It’s a DLL file named “adhapl.dll”, developed in C++ and located in C:WindowsSystem32. It has one export function, named “ServiceMain”. The name and control handler registration indicate that, similar to the original BellaCiao samples, this variant is designed to run as a Windows service.

Consistent with the exported ServiceMain function in the DLL, the code executes a series of steps that closely resemble the behavior observed in earlier versions of BellaCiao.

Unfortunately, we were unable to retrieve the aforementioned D3D12_1core.dll file and therefore could not analyze the SecurityUpdate function triggered in the process. However, as mentioned above, the .NET-based BellaCiao samples feature similar behavior but contain the parameter passed as an argument by the C++ version as a separate variable. For example, the BellaCiao sample that is found along with BellaCPP uses the following workflow.

Based on the passed parameters and known BellaCiao functionality, we assess with medium confidence that the missing DLL creates an SSH tunnel. However, in contrast to the PowerShell webshell that we observed in the older BellaCiao samples, the BellaCPP sample lacks a hardcoded webshell.

Attribution

We assess with medium-to-high confidence that BellaCPP is associated with the Charming Kitten threat actor based on the following elements.

Conclusion

Charming Kitten has been improving its arsenal of malware families while making use of publicly available tools. One of the malware families that they keep updating is BellaCiao. This family is especially interesting from a research perspective, as the PDB paths sometimes provide some insight into the intended target and their environment.

The discovery of the BellaCPP sample highlights the importance of conducting a thorough investigation of the network and the machines in it. Attackers can deploy unknown samples which might not be detected by security solutions, thereby retaining a foothold in the network after “known” samples are removed.

File hashes

222380fa5a0c1087559abbb6d1a5f889
14f6c034af7322156e62a6c961106a8c
44d8b88c539808bb9a479f98393cf3c7
e24b07e2955eb3e98de8b775db00dc68
8ecd457c1ddfbb58afea3e39da2bf17b
103ce1c5e3fdb122351868949a4ebc77
28d02ea14757fe69214a97e5b6386e95
4c6aa8750dc426f2c676b23b39710903
ac4606a0e10067b00c510fb97b5bd2cc
ac6ddd56aa4bf53170807234bc91345a
36b97c500e36d5300821e874452bbcb2
febf2a94bc59011b09568071c52512b5

Domains
systemupdate[.]info

Source:: Securelist

Exit mobile version