Introduction
BellaCiao is a .NET-based malware family that adds a unique twist to an intrusion, combining the stealthy persistence of a webshell with the power to establish covert tunnels. It surfaced for the first time in late April 2023 and has since been publicly attributed to the APT actor Charming Kitten. One important aspect of the BellaCiao samples is how they exhibit a wealth of information through their respective PDB paths, including a versioning scheme we were able to work out once we analyzed historical records.
Recently, we were investigating an intrusion that involved a BellaCiao sample (MD5 14f6c034af7322156e62a6c961106a8c) on a computer in Asia. Our telemetry indicated another suspicious, and possibly related, sample on the same machine. After further investigation of the sample, it turned out to be a reimplementation of an older BellaCiao version, but written in C++.
BellaCiao: PDB analysis
BellaCiao has very descriptive PDB paths that expose important points related to the campaign, such as the target entity and country. In addition, after analyzing several historical samples, we found that all PDB paths contained the string “MicrosoftAgentServices”. Some of the samples had a single digit appended to the string, as in “MicrosoftAgentServices2” and “MicrosoftAgentServices3”. The use of integers typically indicates versioning employed by the malware developer, likely to differentiate various iterations or updates. These versioning practices may serve the purpose of tracking development and changes in the malware’s capabilities, aiding the APT actor in maintaining a diverse and evolving arsenal to achieve their objectives.
Below are the last 10 samples with their respective compilation times.
md5
Partial PDB
Compiler Timestamp
44D8B88C539808BB9A479F98393CF3C7
MicrosoftAgentServicesMicrosoft
AgentServices
Mon Mar 27 05:26:40
2023
E24B07E2955EB3E98DE8B775DB00DC6 ..
Support the originator by clicking the read the rest link below.
