New IceApple Exploit toolset deployed on Microsoft Exchange Servers
Security researchers have found a new post-exploitation framework that they dubbed IceApple, deployed mainly on Microsoft Exchange servers across a wide geography.
IceApple is described as being “highly sophisticated,” its developer prioritizing keeping a low profile for long-term objectives in targeted attacks.
Running on Microsoft Exchange and IIS
The framework was discovered by the Falcon OverWatch team, CrowdStrike’s proactive threat hunting division, in late 2021 and it is under active development.
The researchers observed IceApple being deployed after the threat actor obtains initial access to the network belonging to organizations in various activity sectors: technology, academic, and government.
According to the researchers, IceApple has been deployed on Microsoft Exchange Server instances but it can also run under Internet Information Services (IIS) web applications.
The framework is .NET-based and comes with at least 18 modules, each for a specific task, that help the attacker discover relevant machines on the network, steal credentials, delete files and directories, or exfiltrate valuable data.
CrowdStrike’s OverWatch team says that the IceApple behavior they observed aligns with activity normally seen in attacks from a state-sponsored adversary.
While there is no definite attribution to a threat actor at the moment, the researchers say that the targeted intrusions appear to align with China’s objectives.
Built for stealthy activity
The threat actor behind IceApple has a solid grasp of the IIS software. One indication of this is the presence of a module that takes advantage of undocumented fields, which were not for third-party developers.
“Detailed analysis of the modules suggests that IceApple has been developed by an adversary with deep knowledge of the inner workings of IIS software” – CrowdStrike OverWatch
To keep a low profile on the compromised host, IceApple’s modules run in memory, thus keeping the forensic footprint to a minimum.
Additional efforts to remain undetected include blending into the compromised environment by creating assembly files that appear to be generated temporarily by Microsoft’s IIS web server.
“At first glance they appear to be expected IIS temporary files generated as part of the process of converting ASPX source files into .NET assemblies for IIS to load” – CrowdStrike OverWatch
However, a closer look reveals that the files have not been randomly created and they are loaded in a way that is not typical of Microsoft Exchange and IIS.
Discovering IceApple was possible after CrowdStrike’s Falcon cloud-based security solution triggered an alert at a new customer’s Microsoft OWA deployment for .NET assembly files loaded reflectively.
IceApple is likely to have undiscovered modules and its developers are expected to advance the framework even more, to adapt to detection technology.
CrowdStrike has not provided an exact number for the victims where IceApple was detected but the company observed intrusions at multiple victim environments.
The company strongly recommends installing the latest patches for all web applications for a strong defense against the threat actor behind IceApple.