Attacks with an updated C++ variant of the BellaCiao dropper malware dubbed "BellaCPP" have been deployed by Iranian state-backed threat operation Charming Kitten — also known as APT35, CharmingCypress, CALANQUE, Mind Sandstorm, TA453, Newscaster, and Yellow Garuda — to facilitate further payload delivery, according to The Hacker News.
Despite containing a DLL file loading another DLL for SSH tunnel creation, mimicking the "stealthy persistence" of BellaCiao, BellaCPP does not feature the older iteration's web shell leveraged for arbitrary file uploading and downloading, as well as command execution, an analysis from Kaspersky revealed.
"From a high-level perspective, this is a C++ representation of the BellaCiao samples without the web shell functionality," said Kaspersky researcher Mert Degirmenci.
Such a development comes more than a year after BellaCiao was initially discovered by Bitdefender researchers to have been leveraged in attacks targeting organizations in the U.S., India, and the Middle East with vulnerable Microsoft Exchange Server and Zoho ManageEngine instances.
