A new C++ variant of the BellaCiao malware, dubbed BellaCPP, has been discovered by researchers. This variant shares similarities with the original .NET-based BellaCiao, including domain generation and SSH tunneling capabilities. BellaCPP was found on a machine also infected with a .NET BellaCiao sample. The malware is designed to run as a Windows service and uses XOR encryption to decrypt strings. It generates domains and checks DNS records to establish communication. The discovery highlights the importance of thorough network investigations, as attackers may deploy unknown samples to maintain persistence. The malware is attributed to the Charming Kitten threat actor with medium-to-high confidence based on similarities in functionality and infrastructure. Author: AlienVault
Related Tags:
BellaCPP
BellaCiao
C++
T1027.001
T1569.002
T1021.004
T1071.004
T1573.002
T1132.001
Associated Indicators:
DCCDFC77DD2803B3C5A97AF0851EFA0AA5BBEEEB
36B97C500E36D5300821E874452BBCB2
222380FA5A0C1087559ABBB6D1A5F889
8ECD457C1DDFBB58AFEA3E39DA2BF17B
103CE1C5E3FDB122351868949A4EBC77
44D8B88C539808BB9A479F98393CF3C7
E24B07E2955EB3E98DE8B775DB00DC68
14F6C034AF7322156E62A6C961106A8C
AC4606A0E10067B00C510FB97B5BD2CC