Iran flag
Image: Mostafa Meraji via Unsplash

Iran APT using ‘BellaCiao’ malware against targets in US, Europe and Asia

An Iranian state-sponsored hacking group has been accused of deploying a new strain of malware named BellaCiao against several victims in the U.S., Europe, India, Turkey and other countries.

Researchers from cybersecurity firm Bitdefender attributed the malware to APT35/APT42 – also known as Mint Sandstorm or Charming Kitten – an advanced persistent threat group that is allegedly run by Iran’s Islamic Revolutionary Guard Corps (IRGC).

Martin Zugec, technical solutions director at Bitdefender, told Recorded Future News that the malware developers named the malware BellaCiao as a reference to an Italian folk song about resistance fighting.

BellaCiao is a dropper malware designed to deliver other malware onto a victim’s device based on instructions from the attackers.

“It is designed to be completely stealthy and doesn't communicate with the threat actors much. It's completely passive in receiving the instructions while it works. I've never seen the technique that they’re using before,” he said.

“Every single implant is customized for that specific victim. It's completely designed so that after initial compromise, it can turn into almost like a stealth mode. It doesn't do anything until they are ready to weaponize their access.”

Based on their analysis of several victims, Zugec said it was clear the hackers were organizing victims by country based on the folder names researchers found. They discovered folders named for Israel, Turkey, Austria, India and Italy.

Zugec said they were unable to figure out the initial infection vector but said the primary targets were Microsoft Exchange servers, meaning the hackers most likely used one of the popular Microsoft Exchange exploit chains like ProxyShell or ProxyNotShell. Zugec noted that the Charming Kitten group has also been caught using the Log4j vulnerability during its attacks.

As soon as BellaCiao is deployed, it tries to disable Microsoft Defender. Bitdefender said the malware then opens the door for other strains typically used for “the purposes of espionage, data theft, ransomware/extortion and others.”

The campaign is “highly sophisticated” and Bitdefender said it is currently ongoing.

“We believe this campaign is the next stage after opportunistic attacks. Charming Kitten looks for vulnerable systems indiscriminately (using vulnerability exploits), then custom malware (BellaCiao) is developed for compromised organization and deployed remotely,” the researchers said.

Microsoft – which calls the group Mint Sandstorm – reported last week that the same Iranian hacking group spent much of 2021 and 2022 directly targeting “US critical infrastructure including seaports, energy companies, transit systems, and a major US utility and gas entity.”

“The increased aggression of Iranian threat actors appeared to correlate with other moves by the Iranian regime under a new national security apparatus, suggesting such groups are less bounded in their operations,” Microsoft explained.

“Given the hardline consensus among policymakers in Tehran and sanctions previously levied on Iran’s security organizations, Mint Sandstorm subgroups may be less constrained in carrying out malicious cyber activity.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.