IceApple Post-Exploitation Framework deployed on Exchange servers
The researchers caution against deploying a sophisticated post-exploitation framework on Microsoft Exchange server instances to perform credential harvesting and local reconnaissance of companies in the technology, academic, and government sectors.
The .NET-based framework, which the researchers call IceApple, contains 18 separate modules that remain under development in order to evade detection, including capabilities for collecting credentials, deleting files, and directories and data exfiltration.
As these modules, which do not provide exploitation or lateral movement capabilities, show, post-exploitation frameworks like IceApple do not provide initial access, but are instead used to help with malicious objectives after attackers have already compromised the system. In some cases, researchers have observed attackers using the framework in attacks after repeatedly returning to the victim’s environment every ten to fourteen days, likely to ensure that access was continuously maintained.
“When used shortly after an adversary gained initial access, IceApple was quickly deployed to multiple hosts to facilitate credential harvesting from local and remote host registries , logging of credentials to OWA servers, reconnaissance and data exfiltration,” said researchers from Crowdstrike’s Falcon OverWatch. threat hunting team in an analysis Wednesday. “OverWatch then observed adversaries returning daily to the networks to continue their activity.”
While build timestamps on modules used by the framework date back to May 2021, researchers first discovered the late 2021 framework being loaded on Exchange servers. Researchers said further investigation revealed that the adversary behind the framework has detailed knowledge of how Internet Information Services (IIS) works and is capable of targeting any IIS web application. IIS is Microsoft’s web server software used to host and provide Internet services to the end user.
The framework was thoughtfully loaded via precompiled .NET assemblies into an application pool for Exchange servers. Precompiled .NET assemblies have previously been used by adversaries with existing access to a system to load additional functionality, either via webshells or malicious IIS components.
The researchers said they routinely discover reflection-loaded .NET assemblies of “different levels of sophistication,” from basic wrappers around Windows utilities (such as WMI) to modular frameworks with multiple levels of encryption that help protect data in transit. and between modules. This type of malicious activity can be detected if a reflective .NET load occurs under an IIS application or application pool that does not typically perform this type of operation, the researchers said.
“While many assemblies…are seen only once in a customer’s environment and then never again, a few, like IceApple, continue to be reused on target networks while showing signs of degradation. active development,” the researchers said.
The researchers said IceApple’s in-memory-only framework shows that the actor prioritizes a low forensic footprint over targeted companies. In addition, its many modules support a wide range of features, including listing and deleting directories, writing data to a file, retrieving the configuration of installed network adapters, retrieving IIS server variables , flushing credentials stored in registry keys on the infected host, performing Active Directory queries and capturing OWA credentials.
“This is typical of long-term goals aimed at intelligence gathering and aligns with a targeted state-sponsored mission,” the researchers said.