A post-exploitation malware Framework set down within the Microsoft Exchange Servers of organizations in various sectors across multiple regions. This campaign seems to be gathering intelligence and is tethered to a targeted state-sponsored campaign.
“IceApple” described as 18 separate modules with various functions that include File Exfiltration, Credential Harvesting, File and Directory Deletion.
CrowdStrike Team’s analysis indicates these modules are designed to run only in-memory to avoid leaving any traces on a compromised system.
The other detection evading techniques used in the framework also suggests the adversary’s deep knowledge about Internet Information Services (IIS) Web Applications.
During analysis of the threat, the team found threat actors frequently exploiting the infected system with the help of IceApple malware.
“While IceApple has been observed being deployed on Microsoft Exchange Server instances, it is actually capable of running under any IIS Web application,” Said Param Singh – Vice president of CrowdStrike Falcon Threat Hunting Services.
CrowdStrike discovered IceApple in late 2021 while developing detections for malicious activity involving so-called reflective .NET assembly loads. Reflective code loading is like process injection except that code is loaded into a process’s own memory rather than that of another process.
“.NET assemblies form the cornerstone of Microsoft’s .NET framework,” Singh says. “An assembly can function as either a stand-alone application in the form of an EXE file or as a library for use in other applications as a DLL.”
IceApple’s modular design gave the adversary a way to build every single piece of functionality into its own “.NET assembly” and then reflectively load each function as needed.
“If not caught, this technique can leave security defenders completely blind to such attacks,” Singh says. “For example, defenders will see a legitimate application like a Web server connecting out to a suspicious IP; however, they have no means of knowing what code is triggering that connection.”
This malware is using several unique tactics to escape detection. One of them is to use undocumented files in the IIS. The other is to blend into the environment appearing to be normal IIS temporary files using assembly file names.
This framework exfiltrates data in several ways. The team instances with two modules as follows,
- File Exfiltrator module – pilfers a single file from the target host.
- Multi-file Exfiltrator module – multiple files are encrypted, compressed, and exfiltered from the target host.
“This campaign is currently active and effective,” he warns. “But it is unknown at the moment how many organizations may have been impacted by this campaign beyond where CrowdStrike has visibility and those that might have been indirectly impacted via supply chain or other methods.”