Endpoint Security

Interview: Martin Zugec On BellaCiao Malware And The Importance Of Threat Detection And Response

Expert Insights interviews Martin Zugec, Technical Solutions Director At Bitdefender.

Martin Zugec - Bitdefender

A consistent trend across all vectors of the cybersecurity space is an increase in attack severity and sophistication. “We’ve been observing, over the last two years, the next evolutionary state of the threat actors. They are getting much better at exploiting vulnerabilities,” Martin Zugec, Technical Solutions Director at Bitdefender tells Expert Insights.

Zugec is working closely with the Bitdefender Labs research team on analyzing telemetry data, identifying new trends, and providing insights about the current threat landscape. At the 2023 RSA Conference, Bitdefender revealed a new trend showing that threat actors are increasingly targeting software vulnerabilities for remote exploitation, including new research on BellaCiao, a dangerous new malware strain being used to infiltrate organizations in the US and Europe. 

These malware attacks begin by compromising software vulnerabilities which can affect thousands, or tens of thousands of systems, Zugec says. Criminal groups use automated scanners to locate systems affected by these vulnerabilities. They can then compromise them remotely, making sure they leave a backdoor in the system which can be later used to spread malware. These malware attack groups will then review all of the networks they have compromised and choose the most valuable targets to attack. This is becoming the “de-facto, standardized process,” that threat actors are using, Zugec says. 

This method of attack is particularly interesting as it uses a hybrid attack mode, he explains. The first stage is fully automated, but the second stage is completely manual. This gives criminal groups the ability to compromise thousands of organizations without manual effort, and then customize the malware used to cause the most damage and yield the best return. Attacks can be both widespread, affecting huge numbers of companies – but also highly customized and therefore difficult to detect and remediate against.

For example, if a manufacturing organization is compromised, ransomware can be designed to exploit features particular to that industry. If it’s a legal office, or healthcare, the most valuable asset is the data. If it’s a subcontractor, or a vendor for a much larger company, an attacker may look for ways to upscale the attack and use the foothold gained to try and compromise a larger onward target.

BellaCiao Malware

One of the most innovative examples of this type of malware detected by Bitdefender Labs is known as the ‘BellaCiao’. This is a sophisticated malware strain developed by “Charming Kitten”, which, according to the Bitdefender Labs team, is an Iranian state-sponsored malware group that has been operating since 2014. This malware uses the hybrid model previously mentioned but is designed to be incredibly difficult for security teams to detect. This is achieved through it’s highly specific configuration – it is targeted to individual organizations and exhibits a very high level of technical complexity.  

“What we are seeing with BellaCiao is that the malware is designed to be as stealthy as possible,” Zugec explains. “The way it is getting instructions is doing DNS domain resolution. So, it’s saying: ‘I’m looking for this domain.’ And depending on the IP address it’s going to get from the DNS server owned by the threat-actor, it’s going to follow up with the next instructions. It’s pretty much the equivalent of asking someone on the street which way to go, and if they tell you left, you know you need to go right.” 

“The really interesting bit for me is that every single sample of BellaCiao malware we have seen was customized for the specific victim. For example, the domain it’s asking for was related to the name of the victim. It’s really staying completely stealthy. All it does is ask ‘what is the address of this server?’ and depending on the answer, it’s going to follow different instructions.”

“I’ve never heard about any sample that works like this. It’s completely passive, there is no active communication. Ever. It’s just simple domain name resolution, and that’s how it knows what to do next. So, it was really interesting for me to understand how it works while our Labs were analyzing it!”

Protecting Against Sophisticated Malware

To defend against sophisticated malware attacks, such as BellaCiao, organizations need a “multi-layered, defense-in-depth,’ strategy, Zugec says. This includes strong patching controls to ensure that known vulnerabilities are patched as soon as possible, and crucially, threat detection and response capabilities to help detect malware that has been installed on your system. 

“With hybrid attacks, the initial compromise and that switch from the automated phase to the manual phase can take a really long time,” Zugec explains. Attackers move through the compromised networks one-by-one, targeting first the organizations they know are most valuable, or put compromised networks up for sale on cyber-crime marketplaces. “They are inside [the network], but they are undetected. You can have a lot of time on your hands between the initial compromise to the actual launch of the attack.”

“One thing I always recommend, especially for smaller and mid-market companies, is make sure you have detection and response capabilities. Doesn’t matter if it’s EDR, XDR, MDR. Threat actors generate a lot of noise, but in our investigations, we always see clues,” that could reveal these malware attacks, Zugec says. 

As these attacks are opportunistic, and target thousands or even tens of thousands of organizations at once, it’s not just large organizations that need to implement protection – it’s smaller teams as well. “Small and medium businesses must have these advanced capabilities because you are targets. If you think you don’t have enough computers or data, it’s about your business connections – they are in jeopardy.”

Bitdefender’s threat protection platform takes threat detection and response tools such as extended detection and response (XDR) and makes these available for smaller businesses as well as enterprises, Zugec says. “Our approach to XDR is that we’re building native XDR. It’s much easier to deploy and you have much higher fidelity data. Companies of all sizes need these capabilities, and my personal opinion is a lot of vendors are trying to push enterprise level technologies that are not prepared for it, they don’t have the people, budget or experience. We are designing everything we built so it can be used by smaller or mid-sized customers.”

There is also a clear need for a shift in legislation to help small companies deal with some of malware challenges caused by software vulnerabilities outside of their control, Zugec says. “I’m looking forward to legislation, shifting the responsibility from the smallest companies to software vendors, making sure they are not making vulnerable software and that they make responsible disclosures.”

“It’s time to fundamentally rethink as a society how we approach it, because you cannot have a small company with twenty employees being attacked by a professional ransomware group with potentially hundreds of members. It’s completely imbalanced. I’m looking forward for more legislation that is going to drive the technology to change in the future.”