FlagThis

The Iranian nation-state hacking group, known as Charming Kitten, has been observed deploying a new variant of their BellaCiao malware, called BellaCPP. This new version is written in C++, marking a shift from the original .NET-based BellaCiao. The discovery was made by Kaspersky during an investigation of a compromised machine in Asia, which was found to be infected with both BellaCiao and BellaCPP. This suggests the group is evolving its tactics and potentially enhancing the malware's evasion capabilities. The BellaCPP malware is a DLL file named "adhapl.dll", and it retains similar functionalities as its ancestor, including the ability to load another DLL ("D3D12_1core.dll") to create an SSH tunnel. A key difference is the absence of the web shell feature that was used in the original BellaCiao for uploading, downloading, and command execution. According to Kaspersky, BellaCPP is essentially a C++ port of BellaCiao without the web shell, using domains previously associated with the hacking group.

ImgSrc: ciso2ciso.com

References:

• CISO2CISO.COM - Iran’s Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware – Source:thehackernews.com - 1d
• The Hacker News - Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware - 1d
• @jos1264 - Iran’s Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware – Source:thehackernews.com - 1d
• ciso2ciso.com - Iran’s Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware – Source:thehackernews.com - 1d
• Security Affairs - BellaCPP, Charming Kitten’s BellaCiao variant written in C++ - 22h

Classification:

• HashTags: CharmingKitten BellaCPP CyberMalware
• Company: Kaspersky
• Target: Asia
• Attacker: Charming Kitten
• Product: BellaCiao
• Feature: malware
• Type: Malware
• Severity: Medium