CrowdStrike has detailed a new post-exploitation framework that could be the work of a state-sponsored threat actor, one likely linked to China.
Dubbed IceApple and targeting Microsoft Exchange servers, the framework is an in-memory-only tool designed to evade detection and provide long-time access to the compromised environments. The framework can also run on Internet Information Services (IIS) web server software.
CrowdStrike’s researchers have been tracking IceApple since late 2021, with the observed attacks spanning across the technology, academic and government sectors in multiple geographies. The observed activity, they say, aligns with China’s information gathering interests.
IceApple, the researchers note, is a highly sophisticated IIS post-exploitation framework focused on increasing an adversary’s visibility of the target environment, without offering exploitation or lateral movement capabilities.
To date, the researchers have identified 18 different IceApple modules that offer various types of functionality, and also observed that the framework is under active development and that the modules are constantly updated.
The modules support directory listing, writing to files, file and directory deletion, retrieval of network adapter configuration details, making HTTP requests, retrieving IIS server variables, credential dumping, Active Directory query execution, file exfiltration, and OWA credential capturing.
“Detailed analysis of the modules suggests that IceApple has been developed by an adversary with deep knowledge of the inner workings of IIS software. One of the modules was even found to be leveraging undocumented fields that are not intended to be used by third-party developers,” the researchers note.
CrowdStrike observed that in some cases, shortly after initial environment compromise, IceApple was deployed on multiple hosts for reconnaissance, credential harvesting, and data exfiltration purposes.
The researchers also observed the attackers returning daily to the compromised environments to continue their activities. As part of the identified long-running operations, the adversary would return every 10 to 14 days, using IceApple for credential harvesting and reconnaissance.