From .NET to C++: BellaCiao Malware Evolves with BellaCPP
Kaspersky has uncovered a fresh variant of the BellaCiao malware family—BellaCPP—marking a shift from .NET to C++ in its development.
First appearing in April 2023, BellaCiao is a .NET-based malware family, designed for stealthy persistence via webshells and covert tunneling capabilities. Kaspersky’s research, however, has unveiled BellaCPP, a variant written in C++, discovered alongside a BellaCiao sample during an investigation of a compromised system in Asia.
According to Kaspersky, “BellaCiao has very descriptive PDB paths that expose important points related to the campaign, such as the target entity and country.” These paths also provide clues about the malware’s evolution, with a versioning scheme first appearing in later samples of the .NET version. BellaCPP follows the same lineage but has notable distinctions.
BellaCPP is distributed as a DLL named adhapl.dll, residing in the C:\Windows\System32 directory. With a file size of just 17.50 KB, its minimal footprint belies its functionality. The malware exports a single function, ServiceMain, indicating its role as a Windows service.
Key characteristics include:
- XOR-decrypted Strings: BellaCPP decrypts three strings to access critical components:
- C:\Windows\System32\D3D12_1core.dll
- SecurityUpdate
- CheckDNSRecords
- Domain Generation: It creates domains in the format <5 random letters><target identifier>.<country code>.systemupdate[.]info, mirroring patterns seen in older BellaCiao samples.
- Targeted SSH Tunneling: While the DLL D3D12_1core.dll remains unexamined, researchers suggest it facilitates SSH tunneling, a hallmark of earlier BellaCiao versions.
Interestingly, BellaCPP omits the webshell component integral to earlier iterations, focusing instead on its covert tunneling capabilities.
Kaspersky links BellaCPP to Charming Kitten with medium-to-high confidence, citing:
- Structural and behavioral similarities with earlier BellaCiao samples.
- Use of domains historically attributed to the group.
- Shared techniques in domain generation and exploitation.
“This is a C++ representation of the BellaCiao samples without the webshell functionality,” Kaspersky notes, emphasizing the evolving tactics of the group.
The discovery of BellaCPP underscores the sophistication of Charming Kitten and the ongoing need for robust cybersecurity practices. As Kaspersky concludes, “The discovery of the BellaCPP sample highlights the importance of conducting a thorough investigation of the network and the machines in it.”
