Introduction
BellaCiao is a .NET-based malware family that adds a unique twist to an intrusion, combining the stealthy persistence of a webshell with the power to establish covert tunnels. It surfaced for the first time in late April 2023 and has since been publicly attributed to the APT actor Charming Kitten. One important aspect of the BellaCiao samples is how they exhibit a wealth of information through their respective PDB paths, including a versioning scheme we were able to work out once we analyzed historical records.
Recently, we were investigating an intrusion that involved a BellaCiao sample (MD5 14f6c034af7322156e62a6c961106a8c) on a computer in Asia. Our telemetry indicated another suspicious, and possibly related, sample on the same machine. After further investigation of the sample, it turned out to be a reimplementation of an older BellaCiao version, but written in C++.
BellaCiao: PDB analysis
BellaCiao has very descriptive PDB paths that expose important points related to the campaign, such as the target entity and country. In addition, after analyzing several historical samples, we found that all PDB paths contained the string “MicrosoftAgentServices”. Some of the samples had a single digit appended to the string, as in “MicrosoftAgentServices2” and “MicrosoftAgentServices3”. The use of integers typically indicates versioning employed by the malware developer, likely to differentiate various iterations or updates. These versioning practices may serve the purpose of tracking development and changes in the malware’s capabilities, aiding the APT actor in maintaining a diverse and evolving arsenal to achieve their objectives.
Below are the last 10 samples with their respective compilation times.
md5
Partial PDB
Compiler Timestamp
44D8B88C539808BB9A479F98393CF3C7
MicrosoftAgentServicesMicrosoft
AgentServices
Mon Mar 27 05:26:40
2023
E24B07E2955EB3E98DE8B775DB00DC68
MicrosoftAgentServicesMicrosoft
AgentServices
Wed Apr 12 13:02:04
2023
8ECD457C1DDFBB58AFEA3E39DA2BF17B
MicrosoftAgentServicesMicrosoft
AgentServices
Fri Apr 14 15:29:28
2023
103CE1C5E3FDB122351868949A4EBC77
MicrosoftAgentServicesMicrosoft
AgentServices
Sat Apr 22 18:47:41
2023
28D02EA14757FE69214A97E5B6386E95
MicrosoftAgentServicesMicrosoft
AgentServices
Sun Apr 23 11:33:32
2023
4C6AA8750DC426F2C676B23B39710903
MicrosoftAgentServices2Microsoft
AgentServices
Sat May 06 11:50:21
2023
AC4606A0E10067B00C510FB97B5BD2CC
MicrosoftAgentServices2Microsoft
AgentServices
Sun Jun 11 08:15:29
2023
AC6DDD56AA4BF53170807234BC91345A
MicrosoftAgentServices3Microsoft
AgentServices
Tue Jun 27 21:25:29
2023
36B97C500E36D5300821E874452BBCB2
MicrosoftAgentServices3Microsoft
AgentServices
Tue Jun 27 22:44:06
2023
FEBF2A94BC59011B09568071C52512B5
MicrosoftAgentServices3Microsoft
AgentServices
Tue Jun 27 23:14:44
2023
It is worth noting that the first known BellaCiao samples didn’t feature this versioning system, which only appeared later. This could be attributed to the project’s gradual maturation over time, resulting in improved development quality and refined capabilities.
BellaCPP
MD5
222380fa5a0c1087559abbb6d1a5f889
SHA1
dccdfc77dd2803b3c5a97af0851efa0aa5bbeeeb
SHA256
e4e3f09c4257269cef6cfbebc83c8a60376ce5e547080502e3e408a3f9916218
File type
PE32+ executable (DLL) (GUI) x86-64, for MS Windows, 6 sections
File size
17.50 KB
File name
adhapl.dll
BellaCPP was found on the same machine infected with the .NET-based BellaCiao malware. It’s a DLL file named “adhapl.dll”, developed in C++ and located in C:WindowsSystem32. It has one export function, named “ServiceMain”. The name and control handler registration indicate that, similar to the original BellaCiao samples, this variant is designed to run as a Windows service.
Consistent with the exported ServiceMain function in the DLL, the code executes a series of steps that closely resemble the behavior observed in earlier versions of BellaCiao.
- Decrypt three strings using XOR encryption with the key
0x7B
:
- C:WindowsSystem32D3D12_1core.dll
- SecurityUpdate
- CheckDNSRecords
- Load the DLL file at the path decrypted during the previous step and resolve the functions of the two other decrypted strings above with GetProcAddress.
- Generate a domain by following the same method as the .NET BellaCiao version, using the following format:
<5 random letters><target identifier>.<country code>.systemupdate[.]info
- Call the CheckDNSRecords function. If the return value matches the hardcoded IP address, call the SecurityUpdate function, passing an argument as depicted below.
<username>:<password>:systemupdate[.]info:<port>:<IP_address>:<port>:<IP_address>:<port>
Unfortunately, we were unable to retrieve the aforementioned D3D12_1core.dll file and therefore could not analyze the SecurityUpdate function triggered in the process. However, as mentioned above, the .NET-based BellaCiao samples feature similar behavior but contain the parameter passed as an argument by the C++ version as a separate variable. For example, the BellaCiao sample that is found along with BellaCPP uses the following workflow.
- Generate a domain using the pattern below and send a DNS request to obtain the IP address.
<5 random letters><target identifier>.<country code>.autoupdate[.]uk
- If the IP address equals a hardcoded value, create an SSH tunnel using values similar to the parameter passed by BellaCPP, and expose local port 49450 through that tunnel.
Based on the passed parameters and known BellaCiao functionality, we assess with medium confidence that the missing DLL creates an SSH tunnel. However, in contrast to the PowerShell webshell that we observed in the older BellaCiao samples, the BellaCPP sample lacks a hardcoded webshell.
Attribution
We assess with medium-to-high confidence that BellaCPP is associated with the Charming Kitten threat actor based on the following elements.
- From a high-level perspective, this is a C++ representation of the BellaCiao samples without the webshell functionality.
- It uses domains previously attributed to the actor.
- It generates a domain in a similar fashion and uses that in the same way as observed with the .NET samples.
- The infected machine was discovered with an older BellaCiao sample on its hard drive.
Conclusion
Charming Kitten has been improving its arsenal of malware families while making use of publicly available tools. One of the malware families that they keep updating is BellaCiao. This family is especially interesting from a research perspective, as the PDB paths sometimes provide some insight into the intended target and their environment.
The discovery of the BellaCPP sample highlights the importance of conducting a thorough investigation of the network and the machines in it. Attackers can deploy unknown samples which might not be detected by security solutions, thereby retaining a foothold in the network after “known” samples are removed.
File hashes
222380fa5a0c1087559abbb6d1a5f889
14f6c034af7322156e62a6c961106a8c
44d8b88c539808bb9a479f98393cf3c7
e24b07e2955eb3e98de8b775db00dc68
8ecd457c1ddfbb58afea3e39da2bf17b
103ce1c5e3fdb122351868949a4ebc77
28d02ea14757fe69214a97e5b6386e95
4c6aa8750dc426f2c676b23b39710903
ac4606a0e10067b00c510fb97b5bd2cc
ac6ddd56aa4bf53170807234bc91345a
36b97c500e36d5300821e874452bbcb2
febf2a94bc59011b09568071c52512b5
Domains
systemupdate[.]info
Source:: Securelist