Researchers discovered a new.NET-based framework for data extraction and reconnaissance called IceApple. It was deployed on Microsoft Exchange servers instances.
“Suspected to be the work of a state-nexus adversary, IceApple remains under active development, with 18 modules observed in use across a number of enterprise environments, as of May 2022,” CrowdStrike said in a Wednesday report.
The cybersecurity firm, which discovered the sophisticated malware in late 2021, noted its presence in multiple victim networks and in geographically distinct locations. The targeted victims include a variety of industries, such as government and academia.
A post-exploitation toolkit is used, unlike its name, to gain access to hosts. It is to perform follow-on attacks on host systems that have been compromised.
IceApple is notable for the fact that it’s an in-memory framework, indicating an attempt on the part of the threat actor to maintain a low forensic footprint and evade detection, which, in turn, bears all hallmarks of a long-term intelligence-gathering mission.
While intrusions have been detected involving malware loaded on Microsoft Exchange Servers so far, IceApple can run under any Internet Information Services web application making it an potent danger .
The different modules that come with the framework equip the malware to list and delete files and directories, write data, steal credentials, query Active Directory, and export sensitive data. Build timestamps on these components date back to May 2021.
“At its core, IceApple is a post-exploitation framework focused on increasing an adversary’s visibility of a target through acquisition of credentials and exfiltration of data,” the researchers concluded.
“IceApple was developed by an enemy with extensive knowledge about IIS’s inner workings. Ensuring all web applications are regularly and fully patched is critical to preventing IceApple from ending up in your environment. “
