"Post-Exploitation Framework Targets Microsoft Servers"

Since at least 2021, a post-exploitation framework known as IceApple has been targeting global enterprises that employ Microsoft's extensible web server software and Microsoft Exchange servers, according to Falcon OverWatch, CrowdStrike's proactive threat hunting team. To prevent detection, IceApple leverages in-memory execution and unique stealth techniques. In contrast to malware, a post-exploitation framework does not offer access. Instead, it is employed to further mission objectives after access has been gained. IceApple has yet to be linked to a specific threat actor, but the targeted intrusions align with "China-nexus, state-sponsored collecting requirements." IceApple can use the.NET framework and assemblies to target victims, most of which are technology, academic, and government organizations. Depending on the scope of the penetration, the threat actor also deploys different IceApple modules in different customer environments. According to researchers, IceApple demonstrates persistence and long-term objectives for collecting intelligence, harvesting credentials, file and directory erasure, and data exfiltration. IceApple executes in memory, emphasizing the adversary's priority of leaving a small forensic footprint on the infected host. The threat actor has been steadily expanding their framework with new modules, features, and evasion tactics. Param Singh, vice president of Falcon OverWatch at CrowdStrike, says the threat actor's goal is to remain undetected in the victim's environment and exfiltrate data. An examination of the modules suggests IceApple was created by an adversary with extensive knowledge of IIS software. One of the modules was even discovered to be using undocumented fields that were not intended for third-party developers to use. This article continues to discuss the IceApple post-exploitation framework and recommendations for detecting and mitigating the threat of such frameworks. 

BIS reports "Post-Exploitation Framework Targets Microsoft Servers"

Submitted by Anonymous on