Iranian cyberspies deploy new malware implant on Microsoft Exchange Servers

A cyberespionage group believed to be associated with the Iranian government has been infecting Microsoft Exchange Servers with a new malware implant dubbed BellaCiao that acts as a dropper for additional payloads. The malware uses DNS queries to receive commands from attackers encoded into IP addresses.

According to researchers from Bitdefender, the attackers appear to customize their attacks for each particular victim including the malware binary, which contains hardcoded information such as company name, custom subdomains and IP addresses. Debugging information and file paths from compilation that were left inside the executable suggest the attackers are organizing their victims into folders by country code, such as IL (Israel), TR (Turkey), AT (Austria), IN (India), or IT (Italy).

The group behind the malware is known in the security industry as Charming Kitten, APT35, or Phosphorus and is believed to be a hacking team operated by the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian military. Microsoft recently reported that since late 2021 Charming Kitten has been targeting US critical infrastructure including seaports, energy companies, transit systems, and a major utility and gas entity.

The group is also known for frequently updating and expanding its malware arsenal with custom tools. While its preferred method of attack is highly targeted and sophisticated phishing that includes impersonation of real individuals, it’s also quick to adopt n-day exploits — exploits for vulnerabilities that have been recently patched. Examples in the past include exploits for Log4Shell and Zoho ManageEngine CVE-2022-47966.

BellaCiao malware deployment and operation

While the Bitdefender attackers are not sure what infection vector is being used to deploy BellaCiao, they found the implant on Exchange Servers, so they suspect attackers are exploiting one of the known Exchange exploits from recent years like ProxyLogon, ProxyShell, ProxyNotShell, or OWASSRF.

Once deployed, the implant disables Microsoft Defender using a PowerShell command and creates a new service for persistence called Microsoft Exchange Services Health or Exchange Agent Diagnostic Services. The chosen names are an attempt to blend in with legitimate Exchange-related processes and services.

In addition to BellaCiao, the attackers also deployed backdoors that function as modules for Internet Information Services (IIS), the web server that underpins Exchange. One was an open-source IIS backdoor called IIS-Raid and the other is an IIS module written in .NET and used for credential exfiltration.

Some samples of BellaCiao are designed to deploy a webshell — a web script that works as a backdoor and allows attackers to issue commands remotely. The webshell is not downloaded from an external server but is encoded into the BellaCiao executable itself in the form of malformed base64 strings.

However, to decide when to drop the webshell and in which directory and with what name, the BellaCiao implant queries a command-and-control server over DNS using a custom communication channel that the attackers implemented. The malware will make a DNS request for a subdomain hardcoded in its code every 24 hours. Since the attackers control the DNS for the subdomain, they can return whatever IP address they want and by doing so they actually transmit commands to the malware because BellaCiao has special routines to interpret those IP addresses.

An IP address has four numerical values (octets) separated by dots, for example 111.111.111.111. The malware has a hardcoded IP address of the format L1.L2.L3.L4 and then compares it to the IP address received from the DNS request, say R1.R2.R3.R4. If the last octets R4 and L4 match, then the webshell is deployed. If they don’t match, then the webshell is not deployed and if R4 is equal to L4-1 then all traces of the webshell are removed. The other octets R1, R2 and R3 are also used to determine which directory names and file names to choose from a list when deploying the webshell.

The webshell monitors for web requests that include a particular string that acts a secret password in the header and provides attackers with three capabilities: file download, file upload and command execution.

Other BellaCiao samples were designed to deploy PowerShell scripts that act as a local web server and a command-line connection tool called Plink that’s used to set up a reverse proxy connection to the web server. This allows attackers to execute commands, execute scripts, upload and download files, upload web logs, and more.

The Bitdefender report includes a list of indicators of compromise such as domain names, file names and paths, PowerShell script hashes and IP addresses. It does not include file hashes for the BellaCiao samples, because the samples have hardcoded information about the victims.