A cyberespionage group believed to be linked to the Iranian government has been using a new malware implant called BellaCiao to infect Microsoft Exchange Servers. BellaCiao acts as a dropper for additional payloads and communicates with attackers via DNS queries that encode commands into IP addresses. The group, known as Charming Kitten, APT35, or Phosphorus, is believed to be operated by the Islamic Revolutionary Guard Corps (IRGC) and is known for customizing attacks for each victim. The malware binary contains hardcoded information such as company name, custom subdomains, and IP addresses, and the attackers organize their victims into folders by country code. Charming Kitten has been targeting US critical infrastructure, including seaports, energy companies, transit systems, and a major utility and gas entity since late 2021.

While it is unclear what infection vector is being used to deploy BellaCiao, researchers believe that the attackers are exploiting one of the known Exchange exploits from recent years such as ProxyLogon, ProxyShell, ProxyNotShell, or OWASSRF. Once deployed, the implant disables Microsoft Defender and creates a new service for persistence called Microsoft Exchange Services Health or Exchange Agent Diagnostic Services, attempting to blend in with legitimate Exchange-related processes and services.

In addition to BellaCiao, the attackers also deployed backdoors that function as modules for Internet Information Services (IIS), the web server that underpins Exchange. One was an open-source IIS backdoor called IIS-Raid and the other is an IIS module written in .NET and used for credential exfiltration. Some BellaCiao samples are designed to deploy a webshell, which is encoded into the BellaCiao executable itself in the form of malformed base64 strings.

To decide when to drop the webshell and in which directory and with what name, the BellaCiao implant queries a command-and-control server over DNS using a custom communication channel. The malware makes a DNS request for a subdomain hardcoded in its code every 24 hours. The attackers control the DNS for the subdomain, and by returning different IP addresses, they transmit commands to the malware because BellaCiao has special routines to interpret those IP addresses.

The webshell monitors for web requests that include a particular string acting as a secret password in the header, providing attackers with file download, file upload, and command execution capabilities. Other BellaCiao samples were designed to deploy PowerShell scripts that act as a local web server and a command-line connection tool called Plink, allowing attackers to execute commands, execute scripts, upload and download files, and upload web logs.

The Bitdefender report includes a list of indicators of compromise such as domain names, file names and paths, PowerShell script hashes, and IP addresses but does not include file hashes for the BellaCiao samples because the samples have hardcoded information about the victims.