A likely China-based, state-sponsored threat actor has been deploying a sophisticated post-exploitation malware framework on Microsoft Exchange servers at organizations in the technology, academic, and government sectors across multiple regions since at least last fall.
The goal of the campaign appears to be intelligence gathering and is tied to a targeted state-sponsored campaign, according to researchers at CrowdStrike. The security vendor is tracking the framework as "IceApple" and described it in a report this week as made up of 18 separate modules with a range of functions that include credential harvesting, file and directory deletion, and data exfiltration.
CrowdStrike's analysis shows the modules are designed to run only in-memory to reduce the malware's footprint on an infected system — a tactic that adversaries often employ in long-running campaigns. The framework also has several other detection-evasion techniques that suggest the adversary has deep knowledge of Internet Information Services (IIS) Web applications. For instance, CrowdStrike observed one of the modules leveraging undocumented fields in IIS software that are not intended to be used by third-party developers.
Over the course of their investigation of the threat, CrowdStrike researchers saw evidence of the adversaries repeatedly returning to compromised systems and using IceApple to execute post-exploitation activities.
Param Singh, vice president of CrowdStrike's Falcon OverWatch threat-hunting services, says IceApple is different from other post-exploitation toolkits in that it is under constant ongoing development even as it is being actively deployed and used. "While IceApple has been observed being deployed on Microsoft Exchange Server instances, it is actually capable of running under any IIS Web application," Singh says.
Microsoft .NET Link
CrowdStrike discovered IceApple while developing detections for malicious activity involving so-called reflective .NET assembly loads. MITRE defines reflective code loading as a technique that threat actors use to conceal malicious payloads. It involves allocating and executing payloads directly in the memory of a running process. Reflectively loaded payloads can include complied binaries, anonymous files, or just bits of fileless executables, according to MITRE. Reflective code loading is like process injection except that code is loaded into a process's own memory rather than that of another process, MITRE has noted.
".NET assemblies form the cornerstone of Microsoft’s .NET framework," Singh says. "An assembly can function as either a stand-alone application in the form of an EXE file or as a library for use in other applications as a DLL."
CrowdStrike discovered IceApple in late 2021 when a detection mechanism it was developing for reflective .NET assembly loads triggered on an Exchange Server at a customer location. The company's investigation of the alert showed anomalies in several .NET assembly files, which in turn led to the discovery of the IceApple framework on the system.
Active Cyberattack Campaign
IceApple's modular design gave the adversary a way to build each piece of functionality into its own .NET assembly and then reflectively load each function only as needed. "If not caught, this technique can leave security defenders completely blind to such attacks," Singh says. "For example, defenders will see a legitimate application like a Web server connecting out to a suspicious IP; however, they have no means of knowing what code is triggering that connection."
Singh says CrowdStrike found IceApple to be using a couple of unique tactics to evade detection. One of them is to use undocumented fields in IIS. The other is to blend into the environment by using assembly file names that appear to be normal IIS temporary files. "At closer inspection, the file names are not randomly generated, as would be expected, and the way the assemblies are loaded falls outside of what is normal for Microsoft Exchange and IIS," Singh says.
The IceApple framework is designed to exfiltrate data in several ways. For instance, one of the modules, known as the File Exfiltrator module, allows for a single file to be pilfered from the target host. Another module, called the multifile exfiltrator, allows for multiple files to be encrypted, compressed, and exfiltrated, according to Singh.
"This campaign is currently active and effective," he warns. "But it is unknown at the moment how many organizations may have been impacted by this campaign beyond where CrowdStrike has visibility and those that might have been indirectly impacted via supply chain or other methods."