BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial sample (MD5 14f6c034af7322156e62a6c961106a8c) provided valuable insights into its version and development timeline. 

A second suspicious sample on the same machine, while exhibiting similar functionality to BellaCiao, was a C++ reimplementation of an older version, suggesting a potential evolution in the attacker’s tactics, techniques, and procedures. 

BellaCiao utilizes PDB paths with descriptive elements, revealing critical campaign details such as the targeted entity and country, while historical samples consistently identify the string “MicrosoftAgentServices” within these PDB paths. 

Some samples exhibit numerical suffixes like “MicrosoftAgentServices2” or “MicrosoftAgentServices3,” strongly suggesting versioning practices by the malware developer, which likely serves to differentiate distinct iterations or updates of the malware. 

Such versioning practices likely aid the APT actor in tracking development, implementing changes to the malware’s capabilities, and maintaining a diverse and evolving arsenal to effectively achieve their campaign objectives.

The data reveals a compilation history for a software component, likely within the “MicrosoftAgentServices” project, where the initial samples (prior to the “versioning system” – likely a folder structure or naming convention) suggest an early, less structured development phase. 

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Subsequently, the introduction of “MicrosoftAgentServices2” and “MicrosoftAgentServices3” indicates a shift towards a more organized and potentially iterative development process, which is further supported by the increasing frequency of compilations within each versioned directory.

The timestamps associated with each compilation provide insights into the project’s development timeline and the pace of activity within different development stages.

BellaCPP, a C++-based DLL, installs itself as a Windows service, which decrypts strings related to system updates and DNS checks by generating a domain name based on a template and querying it for a specific IP address. 

If the query matches the expected IP, it calls a function likely for command and control communication, passing credentials, domain information, and port numbers, which closely aligns with previous .NET-based BellaCiao malware variants, suggesting shared functionality and potential origins.

The analysis encountered difficulties in retrieving the D3D12_1core.dll file, hindering the direct examination of the SecurityUpdate function’s behavior within the C++ BellaCPP sample. 

By observing similarities with the .NET-based BellaCiao samples, it was determined that the missing DLL likely establishes an SSH tunnel, which is supported by the fact that the C++ sample utilizes a domain generation pattern similar to BellaCiao, where the IP address resolution dictates subsequent actions. 

While the C++ sample lacks a hardcoded webshell, the observed behavior strongly suggests the creation of an SSH tunnel, potentially for remote access or data exfiltration.

Kasperky analysis of the BellaCPP sample, a C++ variant of the BellaCiao malware, strongly suggests an association with the Charming Kitten threat actor, where key indicators include the use of previously attributed domains, similar domain generation techniques, and the presence of older BellaCiao samples on the infected machine. 

This discovery emphasizes the need for comprehensive network investigations to identify and mitigate the presence of potentially undetected malware variants, such as BellaCPP, deployed by adversaries like Charming Kitten.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free