BellaCPP: Discovering a new BellaCiao variant written in C++

Dec. 20, 2024, 4:42 p.m.

Description

A new C++ variant of the BellaCiao malware, dubbed BellaCPP, has been discovered by researchers. This variant shares similarities with the original .NET-based BellaCiao, including domain generation and SSH tunneling capabilities. BellaCPP was found on a machine also infected with a .NET BellaCiao sample. The malware is designed to run as a Windows service and uses XOR encryption to decrypt strings. It generates domains and checks DNS records to establish communication. The discovery highlights the importance of thorough network investigations, as attackers may deploy unknown samples to maintain persistence. The malware is attributed to the Charming Kitten threat actor with medium-to-high confidence based on similarities in functionality and infrastructure.

External References

https://securelist.com/bellacpp-cpp-version-of-bellaciao/115087/
https://otx.alienvault.com/pulse/67658c726b6f3d3aa34109d7
Tags
c++
charming kitten
2024-12-20
bellaciao
bellacpp

Date

  • Created: Dec. 20, 2024, 3:25 p.m.
  • Published: Dec. 20, 2024, 3:25 p.m.
  • Modified: Dec. 20, 2024, 4:42 p.m.

Indicators

  • e4e3f09c4257269cef6cfbebc83c8a60376ce5e547080502e3e408a3f9916218
  • systemupdate.info
Download all indicators here!

Attack Patterns

  • BellaCPP
  • BellaCiao
  • Charming Kitten