Charming Kitten targets critical infrastructure in US and elsewhere with BellaCiao malware – Source: www.tripwire.com

Iranian state-sponsored hacking group Charming Kitten has been named as the group responsible for a new wave of attacks targeting critical infrastructure in the United States and elsewhere.

The group (who are also known to security researchers by a wide variety of other names including Mint Sandstorm, Phosphorous, Newscaster, and APT35) has been operating since at least 2011, making a name for itself by targeting activists and journalists in the Middle East, as well as organisations in the United States, UK, Israel, and elsewhere.

Earlier this month, Microsoft announced that the group, which is associated with Iran’s Islamic Revolutionary Guard, had been linked to cyber attacks on US critical infrastructure between late 2021 and mid-2022.

And now, according to a new report from security researchers at anti-virus firm Bitdefender, the malicious hackers have added a new weapon to their armoury in an attempt to avoid detection.

According to the experts at Bitdefender Labs, Charming Kitten has created multiple saamples of malware called BellaCiao, tailor-made to specific victims – each containing specific company names, specially-crafted subdomains, and associated IP addresses.

The researchers note that “custom-developed malware, also known as “tailored” malware, is generally harder to detect because it is specifically crafted to evade detection and contains unique code.”

Each malware sample reveals details about the specific organisational victim it has been customised for, which – because it could lead to their identification – means information about the samples is being tightly controlled.

BellaCiao, possibly named in reference to an Italian folk song of freedom and resistance, attempts to disable Microsoft Defender, and tries to open backdoors through which remote actors can gain access, and send commands to launch further attacks, and exfiltrate information such as credentials.

It is not known as yet how the group is initially intruding into networks to plant the malware, but organisations would be wise to ensure that their systems are well-maintained, do not have weak or reused passwords, and have patched against software vulnerabilities.

A complete list of indicators of compromise is published on the technical blog post from Bitdefender Labs.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.