www.darkreading.com Open in urlscan Pro
2606:4700::6811:7763  Public Scan

Form analysis
0 forms found in the DOM

Text Content

The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches

Cloud

IoT

Physical Security

Perimeter

Analytics
Security Monitoring

Security Monitoring
App Sec
Database Security

Database Security
Risk
Compliance

Compliance
Threat Intelligence

Endpoint
AuthenticationMobile SecurityPrivacy

AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management

Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People

Identity & Access ManagementCareers & People
Remote Workforce

Black Hat news
Omdia Research
Security Now
Events
Close
Back
Events
Events
 * Dark Reading Virtual Event - June 23 - Learn More
   
 * Black Hat USA - August 6-11 - Learn More
   

Webinars
 * Vendors as Your Largest BEC Threat
   Jun 22, 2022
 * Harnessing the Power of Security Automation
   Jun 09, 2022

Resources
Close
Back
Resources
Reports >
Slideshows >
Tech Library >
Webinars >
White Papers >

Subscribe
Login
/
Register

The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches

Cloud

IoT

Physical Security

Perimeter

Analytics
Security Monitoring

Security Monitoring
App Sec
Database Security

Database Security
Risk
Compliance

Compliance
Threat Intelligence

Endpoint
AuthenticationMobile SecurityPrivacy

AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management

Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People

Identity & Access ManagementCareers & People
Remote Workforce

Black Hat news
Omdia Research
Security Now
Events
Close
Back
Events
Events
 * Dark Reading Virtual Event - June 23 - Learn More
   
 * Black Hat USA - August 6-11 - Learn More
   

Webinars
 * Vendors as Your Largest BEC Threat
   Jun 22, 2022
 * Harnessing the Power of Security Automation
   Jun 09, 2022

Resources
Close
Back
Resources
Reports >
Slideshows >
Tech Library >
Webinars >
White Papers >
The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches

Cloud

IoT

Physical Security

Perimeter

Analytics
Security Monitoring

Security Monitoring
App Sec
Database Security

Database Security
Risk
Compliance

Compliance
Threat Intelligence

Endpoint
AuthenticationMobile SecurityPrivacy

AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management

Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People

Identity & Access ManagementCareers & People
Remote Workforce

Black Hat news
Omdia Research
Security Now
Events
Close
Back
Events
Events
 * Dark Reading Virtual Event - June 23 - Learn More
   
 * Black Hat USA - August 6-11 - Learn More
   

Webinars
 * Vendors as Your Largest BEC Threat
   Jun 22, 2022
 * Harnessing the Power of Security Automation
   Jun 09, 2022

Resources
Close
Back
Resources
Reports >
Slideshows >
Tech Library >
Webinars >
White Papers >

--------------------------------------------------------------------------------

Subscribe
Login
/
Register
SEARCH
A minimum of 3 characters are required to be typed in the search bar in order to
perform a search.




Announcements
 1. 
 2. 
 3. 

Event
The Value Drivers of Attack Surface Management, Revealed | May 26 Webinar |
<REGISTER NOW>
Event
Implementing and Using XDR to Improve Enterprise Cybersecurity | May 25 Webinar
| <REGISTER NOW>
Event
HOW DATA BREACHES HAPPEN & WHAT TO DO WHEN THEY HAPPEN TO YOU | June 23 Virtual
Event | <Get Your Pass>
PreviousNext

Attacks/Breaches

4 min read

article



CYBER-ESPIONAGE ATTACK DROPS POST-EXPLOIT MALWARE FRAMEWORK ON MICROSOFT
EXCHANGE SERVERS

IceApple's 18 separate modules include those for data exfiltration, credential
harvesting, and file and directory deletion, CrowdStrike warns.
Jai Vijayan
Contributing Writer, Dark Reading
May 11, 2022
Source: givaga via Shutterstock
PDF


A likely China-based, state-sponsored threat actor has been deploying a
sophisticated post-exploitation malware framework on Microsoft Exchange servers
at organizations in the technology, academic, and government sectors across
multiple regions since at least last fall.



The goal of the campaign appears to be intelligence gathering and is tied to a
targeted state-sponsored campaign, according to researchers at CrowdStrike. The
security vendor is tracking the framework as "IceApple" and described it in a
report this week as made up of 18 separate modules with a range of functions
that include credential harvesting, file and directory deletion, and data
exfiltration.

CrowdStrike's analysis shows the modules are designed to run only in-memory to
reduce the malware's footprint on an infected system — a tactic that adversaries
often employ in long-running campaigns. The framework also has several other
detection-evasion techniques that suggest the adversary has deep knowledge of
Internet Information Services (IIS) Web applications. For instance, CrowdStrike
observed one of the modules leveraging undocumented fields in IIS software that
are not intended to be used by third-party developers.

AdChoices
ADVERTISING



Over the course of their investigation of the threat, CrowdStrike researchers
saw evidence of the adversaries repeatedly returning to compromised systems and
using IceApple to execute post-exploitation activities.



Param Singh, vice president of CrowdStrike's Falcon OverWatch threat-hunting
services, says IceApple is different from other post-exploitation toolkits in
that it is under constant ongoing development even as it is being actively
deployed and used. "While IceApple has been observed being deployed on Microsoft
Exchange Server instances, it is actually capable of running under any IIS Web
application," Singh says.

Microsoft .NET Link
CrowdStrike discovered IceApple while developing detections for malicious
activity involving so-called reflective .NET assembly loads. MITRE defines
reflective code loading as a technique that threat actors use to conceal
malicious payloads. It involves allocating and executing payloads directly in
the memory of a running process. Reflectively loaded payloads can include
complied binaries, anonymous files, or just bits of fileless executables,
according to MITRE. Reflective code loading is like process injection except
that code is loaded into a process's own memory rather than that of another
process, MITRE has noted.

".NET assemblies form the cornerstone of Microsoft’s .NET framework," Singh
says. "An assembly can function as either a stand-alone application in the form
of an EXE file or as a library for use in other applications as a DLL."



CrowdStrike discovered IceApple in late 2021 when a detection mechanism it was
developing for reflective .NET assembly loads triggered on an Exchange Server at
a customer location. The company's investigation of the alert showed anomalies
in several .NET assembly files, which in turn led to the discovery of the
IceApple framework on the system.

Active Cyberattack Campaign
IceApple's modular design gave the adversary a way to build each piece of
functionality into its own .NET assembly and then reflectively load each
function only as needed. "If not caught, this technique can leave security
defenders completely blind to such attacks," Singh says. "For example, defenders
will see a legitimate application like a Web server connecting out to a
suspicious IP; however, they have no means of knowing what code is triggering
that connection."

Singh says CrowdStrike found IceApple to be using a couple of unique tactics to
evade detection. One of them is to use undocumented fields in IIS. The other is
to blend into the environment by using assembly file names that appear to be
normal IIS temporary files. "At closer inspection, the file names are not
randomly generated, as would be expected, and the way the assemblies are loaded
falls outside of what is normal for Microsoft Exchange and IIS," Singh says.

The IceApple framework is designed to exfiltrate data in several ways. For
instance, one of the modules, known as the File Exfiltrator module, allows for a
single file to be pilfered from the target host. Another module, called the
multifile exfiltrator, allows for multiple files to be encrypted, compressed,
and exfiltrated, according to Singh.

"This campaign is currently active and effective," he warns. "But it is unknown
at the moment how many organizations may have been impacted by this campaign
beyond where CrowdStrike has visibility and those that might have been
indirectly impacted via supply chain or other methods."

Threat IntelligenceApplication Security
Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.
Subscribe

More Insights
White Papers
 * 
   Eight Best Practices for a Data-Driven Approach to Cloud Migration
 * 
   What is a data vault? Why do you need it?

More White Papers
Webinars
 * 
   Vendors as Your Largest BEC Threat
 * 
   Harnessing the Power of Security Automation

More Webinars
Reports
 * 
   Incorporating a Prevention Mindset into Threat Detection and Response
 * 
   Practical Network Security Approaches for a Multicloud, Hybrid IT World

More Reports

Editors' Choice
Docker Under Siege: Cybercriminals Compromise Honeypots to Ramp Up Attacks
Robert Lemos, Contributing Writer, Dark Reading
What Star Wars Teaches Us About Threats
Adam Shostack, Leading expert in threat modeling
China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling
Cyber-Espionage Attack
Jai Vijayan, Contributing Writer, Dark Reading
How to Create a Cybersecurity Mentorship Program
Steve Zurier, Contributing Writer, Dark Reading
Webinars
 * Vendors as Your Largest BEC Threat
 * Harnessing the Power of Security Automation
 * Implementing Zero Trust in Your Enterprise
 * Building an Effective Active Directory Security Strategy
 * Building and Maintaining an Effective IoT Cybersecurity Strategy

More Webinars
White Papers
 * Eight Best Practices for a Data-Driven Approach to Cloud Migration
 * What is a data vault? Why do you need it?
 * Protecting Endpoint to Work from Anywhere
 * Creating a Regulatory Compliant Medical Device Vulnerability Management
   Program
 * AppSec Considerations For Modern Application Development

More White Papers

Events
 * Dark Reading Virtual Event - June 23 - Learn More
 * Black Hat USA - August 6-11 - Learn More
 * Black Hat Spring Trainings - June 13-16 - Learn More

More Events
More Insights
White Papers
 * 
   Eight Best Practices for a Data-Driven Approach to Cloud Migration
 * 
   What is a data vault? Why do you need it?

More White Papers
Webinars
 * 
   Vendors as Your Largest BEC Threat
 * 
   Harnessing the Power of Security Automation

More Webinars
Reports
 * 
   Incorporating a Prevention Mindset into Threat Detection and Response
 * 
   Practical Network Security Approaches for a Multicloud, Hybrid IT World

More Reports

DISCOVER MORE FROM INFORMA TECH

 * Interop
 * InformationWeek
 * Network Computing
 * ITPro Today

 * Data Center Knowledge
 * Black Hat
 * Omdia

WORKING WITH US

 * About Us
 * Advertise
 * Reprints

FOLLOW DARK READING ON SOCIAL

 * 
 * 
 * 
 * 


 * Home
 * Cookies
 * Privacy
 * Terms



Copyright © 2022 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.

This site uses cookies to provide you with the best user experience possible. By
using Dark Reading, you accept our use of cookies.

Accept