CrowdStrike’s Falcon OverWatch threat hunting team exposed a new, highly sophisticated post-exploitation framework. Dubbed IceApple, this Internet Information Services (IIS) framework has been built by a threat actor who apparently possesses detailed knowledge of it.
The campaign
As of May, IceApple includes 18 modules and is under active development, and has been used across several enterprise environments.
The malware was discovered in 2021 and has targeted victims across academic, government, and technology sectors.
It uses an in-memory-only framework, indicating that the threat actor aims to maintain a low forensic footprint on victims.
Its long-running campaign focuses on intelligence gathering and indicates that it is a state-sponsored mission, allegedly, aligning with China-nexus, state-sponsored intrusions.
Why this matters
While the intrusions by IceApple observed so far involved loading the malware on Microsoft Exchange servers, it is capable of running on any IIS web application. This makes it a strong threat.
The various modules that come with the malware enable it to list and eliminate directories and files, steal credentials, write data, exfiltrate sensitive data, and query Active Directory.
IceApple’s main motive is to increase its operator’s visibility of the target by gaining access to credentials and pilfering confidential information.
Malware details
The malware’s modular design allowed the threat actor to arrange every functionality into its own .NET assembly and reflectively load the functions as required.
Reflective code loading is defined as a technique to hide malicious payloads, according to MITRE. It refers to assigning and executing payloads directly in the memory of any running process.
Such payloads can comprise compiled binaries, fileless executables, and anonymous files.
Reflective code loading can leave security teams completely oblivious to these attacks. While they may notice a web server connecting to a suspicious IP, they won’t know which code triggered the connection.
The bottom line
IceApple is a potent threat and employs novel tactics to evade detection. Moreover, it can pilfer data in several ways. The campaign is currently active and seems to be extremely effective. At the moment, researchers have not been able to enumerate the victims. Therefore, it is imperative that all web apps are patched on a regular basis to prevent IceApple from compromising your network.