Unveiling BellaCiao: Charming Kitten's Sophisticated Malware Tailored For Individuals
- Actor Motivations: Espionage,Exfiltration,Extortion,Financial Gain
- Attack Vectors: Vulnerability Exploitation,Cryptojacking,Ransomware,Supply Chain Compromise
- Attack Complexity: Very High
- Threat Risk: High Impact/High Probability
Threat Overview
Charming Kitten group's latest malware, BellaCiao, targets Microsoft Exchange servers across the United States, Europe, the Middle East (Turkey), and India. The malware uses a unique communication approach with its command-and-control infrastructure and is tailored to suit individual targets. BellaCiao is a dropper malware that delivers other payloads based on instructions from the C2 server. The initial infection vector is suspected to be Microsoft Exchange exploit chains, and the malware establishes persistence by masquerading as legitimate Microsoft Exchange server processes.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Region | Austria | High |
| Region | India | High |
| Region | Israel | High |
| Region | Italy | High |
| Region | Turkey | High |
| Region | United States | Verified |
| Region | Middle East Countries | Verified |
| Region | European Countries | Verified |
Extracted IOCs
- maill-support[.]com
- mailupdate[.]info
- mail-updateservice[.]info
- msn-service[.]co
- twittsupport[.]com
- 284cdf5d2b29369f0b35f3ceb363a3d1
- 2daa29f965f661405e13b2a10d859b87
- 3fbea74b92f41809f46145f480782ef9
- 4812449f7fad62162ba8c4179d5d45d7
- 7df50cb7d4620621c2246535dd3ef10c
- c450477ed9c347c4c3d7474e1f069f14
- c6f394847eb3dc2587dc0c0130249337
- e7149c402a37719168fb739c62f25585
- f56a6da833289f821dd63f902a360c31
- 88[.]80.148.162
Tip: 15 related IOCs (1 IP, 5 domain, 0 URL, 0 email, 9 file hash) to this threat have been found.