Researchers have detailed a beforehand undocumented .NET-based post-exploitation framework referred to as IceApple that has been deployed on Microsoft Exchange server situations to facilitate reconnaissance and data exfiltration.
“Suspected to be the work of a state-nexus adversary, IceApple remains under active development, with 18 modules observed in use across a number of enterprise environments, as of May 2022,” CrowdStrike stated in a Wednesday report.
The cybersecurity agency, which found the subtle malware in late 2021, famous its presence in a number of sufferer networks and in geographically distinct areas. Targeted victims span a variety of sectors, together with expertise, tutorial, and authorities entities.
A post-exploitation toolset, because the identify implies, shouldn’t be used to offer preliminary entry, however is quite employed to hold out follow-on assaults after having already compromised the hosts in query.
IceApple is notable for the truth that it is an in-memory framework, indicating an try on the a part of the risk actor to take care of a low forensic footprint and evade detection, which, in flip, bears all hallmarks of a long-term intelligence-gathering mission.
While intrusions noticed thus far have concerned the malware being loaded on Microsoft Exchange Servers, IceApple is able to operating below any Internet Information Services (IIS) net utility, making it a potent risk.
The completely different modules that include the framework equip the malware to record and delete recordsdata and directories, write data, steal credentials, question Active Directory, and export delicate data. Build timestamps on these elements date again to May 2021.
“At its core, IceApple is a post-exploitation framework focused on increasing an adversary’s visibility of a target through acquisition of credentials and exfiltration of data,” the researchers concluded.
“IceApple has been developed by an adversary with detailed knowledge of the inner workings of IIS. Ensuring all web applications are regularly and fully patched is critical to preventing IceApple from ending up in your environment.”