Post-Exploitation Framework Targets Microsoft ServersIIS, Exchange Servers at Risk From Stealth-Focused Actors Using IceApple
A post-exploitation framework dubbed IceApple has been targeting global organizations that use Internet Information Services - Microsoft's extensible web server software - and Microsoft Exchange servers since at least 2021, says Falcon OverWatch, the proactive threat hunting team at CrowdStrike. IceApple uses in-memory execution and unique stealth techniques to avoid detection.
A post-exploitation framework is different from malware in that it does not provide access. It is instead used to further mission objectives after access has already been achieved.
While CrowdStrike has not attributed IceApple to a named threat actor yet, it says the targeted intrusions align with "China-nexus, state-sponsored collection requirements."
IceApple can leverage the .NET framework and assemblies to target victims, most of which are organizations in the technology, academic and government sectors. The threat actor also deploys different IceApple modules in different customer environments, depending on the extent of the compromise, CrowdStrike adds.
The researchers say that IceApple shows persistence and long-running objectives aimed at intelligence collection, such as credential harvesting, file and directory deletion and data exfiltration. IceApple uses in-memory execution, highlighting the adversary's priority of maintaining a low forensic footprint on the infected host, and it uses unique stealth techniques, detailed below, to avoid detection.
The Falcon OverWatch team says the threat actor behind this framework appears to be particularly focused on stealth techniques and is continuously evolving.
The threat actor has been continuously adding new modules, features and evasion techniques to their framework, Param Singh, vice president of Falcon OverWatch at CrowdStrike, tells Information Security Media Group.
Singh says the threat actor's goal is "to stay hidden within the victim's environment and also to exfiltrate data." Over a period of time, he says, the team saw different versions of IceApple. "They are actively developing their framework and adding modules. In doing so, they are improving the stealth feature," Singh says.
An analysis of the modules suggests that IceApple has been developed by an adversary with deep knowledge of the inner workings of IIS software, the team says. One of the modules was even found to be leveraging undocumented fields that are not intended to be used by third-party developers.
Efforts to blend in with the victim environment are also seen with the assembly file names themselves. At first glance, they appear to be IIS temporary files generated as part of the process of converting ASPX source files into .NET assemblies for IIS to load. But a closer inspection shows that the file names are not randomly generated and the way the assemblies are loaded falls outside of what is normal for Microsoft Exchange and IIS, the team says.
The Falcon OverWatch team's familiarity with how systems should operate - and also how adversaries attempt to corrupt these systems - enabled it to quickly identify this suspicious activity.
"This is one of the stealthiest frameworks that we have seen. The threat actor uses a modular framework that encrypts all the files in storage," Singh says.
The malicious modules or files are selectively loaded into memory, depending on what action needs to be performed. They are then decrypted in memory and the action is performed. After that, they are offloaded from memory, thus making IceApple safe from detection by malware scanners.
The post-exploitation framework also appears to use other obfuscation techniques.
"The adversary has intentionally kept the file sizes very small, ranging between 7KB and 12KB. Further, the files are named in a way that makes them appear like temporary files or Microsoft system files with file names like web, ASP and some random number. So they are using layers of evasion techniques with a focus on evasiveness and persistence. And that's what makes IceApple different from the other post-exploitation frameworks we have seen," Singh says.
IIS Server Exploits
To date, IceApple has been deployed only on Microsoft Exchange server instances, but it is capable of running under any IIS web application, CrowdStrike says. "As such, ensuring all web applications are fully patched is critical to ensuring IceApple doesn’t end up in your environment," a white paper from CrowdStrike says.
"They need to find some vulnerability in the IIS server to deploy this framework," says Singh. "Some ways are infecting libraries like Log4j or exploiting any of the top 20 OWASP vulnerabilities to get access to your IIS. On doing so, they can deploy this framework. Being a post-exploitation framework, after exploiting your IIS server, they can remain in your environment."
Threat Detection and Mitigation
To detect post-exploitation frameworks and mitigate risks, the team recommends doing the following:
- Deploy a behavior-based EDR system that does in-memory analysis.
- Ensure that your threat detection solution has artificial intelligence and machine-learning capabilities.
- Use a sensor that provides unfiltered telemetry.
- Use a cloud-based, massively scalable graph database to visualize and evaluate voluminous event data generated by the thousands of endpoints and cloud workloads. A graph database can identify and stop attacks in progress.
- Work with eagle-eyed internal teams or third parties that specialize in threat hunting to detect stealth behavior from such anomalies.