Bitdefender unveils BellaCiao, the Iranian malware that is targeting several countries

Bitdefender today released research detailing a dangerous new malware campaign: BellaCiao.

This campaign is not only new in the cyberattack landscape, but is still ongoing and is targeting companies in the United States, Europe, Israel, Turkey and India.

BellaCiao malware

BellaCiao is managed by Charming Kitten (alias Mint Sandstorm, APT35/42), or by a well-known group of cybercriminals which is supported by the Iranian government. What makes this new malware particularly dangerous is that it is not only highly sophisticated, but that it is adapted to each type of target, using a specific communication approach through its communication infrastructure. command and control (or C2).

How does this malware work? Basically BellaCiao operates as backdoor e dropper. It can also be used to distribute all kinds of malware that has the purpose of espionage, data theft, ransomware and extortion. Once the system is infected, BellaCiao acts in sneaky wayimpersonating itself as a legitimate process in such a way that it will not be disclosed, pending further instructions from cybercriminals.

The research conducted by Bitdefender highlights an interesting fact: the novelty of BellaCiao is the way it receives instructions from the hacker’s C2 server, asking the infected computer to perform a DNS request on its behalf every 24 hours for resolving a subdomain via a hardcoded string unique to each victim.

Bitdefender also believes that this campaign is the next step to the opportunistic attacks.

Since the campaign is still active, Bitdefender urges companies not to let their guard down and therefore maintain a high level of alert, without forgetting to share the information from this research with CIOs.

How to defend yourself against these attacks? You definitely need to adopt comprehensive cyber security solutions, including threat prevention, detection and neutralization capabilities. Finally, Bitdefender recommends implementing IP/URL/Domain reputation on all endpoints.

The complete research is available at the following link.