Iran’s state-sponsored hacking group, Charming Kitten, has been identified as the group responsible for a new wave of attacks targeting critical infrastructure in the United States and elsewhere.
The group (also known to security researchers by a wide variety of other names, including Mint Sandstorm, Phosphorous, Newscaster, and APT35) has been operating since at least 2011, making a name for itself by targeting activists and journalists in the Middle East, as well as organizations in the United States, Britain, Israel, and elsewhere.
Earlier this month, Microsoft announced Because the group, which is affiliated with Iran’s Islamic Revolutionary Guard Corps, has been linked to cyber attacks on critical infrastructure in the US between late 2021 and mid-2022.
And now, according to A New report From security researchers at anti-virus company Bitdefender, the malicious hackers have added a new weapon to their arsenal in an attempt to avoid detection.
According to the experts at Bitdefender Labs, Charming Kitten has created a large number of malware called BellaCiao, which are tailored to specific victims – each containing specific company names, specially structured subdomains, and associated IP addresses.
The researchers note that “custom-developed malware, also known as “customized” malware, is generally more difficult to detect because it is specifically designed to evade detection and contains unique code.”
Each malware sample reveals details about the specific corporate victim it was tailored for, which – because it could lead to their identification – means that information about the samples is tightly controlled.
BellaCiao, perhaps named in reference to an Italian folk song of freedom and resistance, attempts to disable Microsoft Defender, and tries to open back doors through which remote actors can gain access, send commands to launch additional attacks, and extract information such as credentials.
It is not yet known how the group initially penetrates networks to plant the malware, but organizations are wise to ensure that their systems are well maintained, do not have weak or reused passwords, and are patched against software vulnerabilities.
A complete list of compromise indicators is published on the website Technical blog post from Bitdefender Labs.
Editor’s Note: The views expressed in this author’s article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
