A novel post-exploitation framework that enables the exercise of its malicious actors to persist on their targets was uncovered Wednesday by Crowdsrike’s Falcon OverWatch menace hunters. Dubbed IceApple, the .NET-based framework has been noticed since late 2021 in a number of sufferer environments in geographically numerous places with targets spanning the know-how, educational and authorities sectors, based on CrowdStrike’s report.
Up to now, Falcon OverWatch’s menace hunters have discovered the framework solely on Microsoft Exchange situations, however they stated it is able to working underneath any Internet Information Services (IIS) net utility and advise organizations to ensure their net apps are totally patched to keep away from an infection.
“While the use of .NET and reflective code in attacks is common, what’s uncommon is how these threat actors are trying to evade detection,” Falcon OverWatch Vice President Param Singh tells CSO. “They’re not using one evasion technique. They’re using six or seven evasion techniques.”
IceApple targets hard-coded Microsoft APIs
CrowdStrike outlined methods by which IceApple is designed to keep away from detection. For instance, it makes use of an in-memory-only framework, which contributes to the software program sustaining a low forensic footprint in a focused setting.
The menace hunters additionally discovered one of many framework’s modules leveraging undocumented APIs not supposed for use by third-party builders. Singh explains that Microsoft has created two units of APIs—a user-friendly set usually utilized by third-party builders and an undocumented set for Microsoft’s builders. “Malware authors and normal developers use the user-friendly APIs,” he says. “What IceApple threat actors are doing is bypassing the user-friendly APIs and going directly to the hard-coded Microsoft APIs. That bypass is evasive because most security vendors tap into only the user-friendly APIs.”
Another evasion method may be present in how the recordsdata used to assemble the framework are named. At first look, they look like typical non permanent recordsdata generated as a part of the method of changing ASPX supply recordsdata into .NET assemblies for IIS to load. Closer inspection reveals that filenames aren’t randomly generated as can be anticipated, and the way in which the assemblies are loaded falls exterior of what’s regular for Microsoft Exchange and IIS.
Small footprint makes IceApple onerous to detect
IceApple additionally makes use of “chunking” strategies to maintain its footprint small to cut back the danger of detection. “Since the framework uses a modular approach, the attackers can break down their code into chunks and only drop the chunks relevant to a particular target environment,” Singh explains. “We found 18 different modules, but some targets may see only seven, because the attacker may be interested in only persistence and not exfiltration.”
“By breaking down the big framework into smaller chunks, they can keep the file sizes much smaller,” Singh says. “Many times when a file is labeled as a temporary file and it’s only in kilobytes, you might think it’s really just a temporary file. Only when temporary files are in the megabytes do they become suspicious.”
IceApple aims align with nation-state targets
The CrowdStrike report additionally notes that IceApple’s long-running aims geared toward intelligence assortment aligns with a focused, state-sponsored mission. “We have seen similar combinations of evasion techniques from nation-state threat actors,” Singh says. “Multiple levels of evasion are used by threat actors who want to make sure that they’re not kicked off a machine. They’re persistent and running a long-term campaign.”
Copyright © 2022 IDG Communications, Inc.