CrowdStrike identifies new ‘IceApple’ post-exploitation framework – MeriTalk
Cybersecurity service provider CrowdStrike said today it has identified a sophisticated post-exploitation framework that was first detected in 2021 and has been observed in multiple victim environments in geographically distinct locations – with intrusions spanning the technology, academic and government sectors.
CrowdStrike’s Falcon Overwatch organization, which functions as the company’s “proactive threat-hunting team,” said it discovered a sophisticated .NET-based post-exploitation framework known as IceApple.
IceApple is a framework that CrowdStrike says is still under active development and, to date, has been observed being deployed on Microsoft Exchange server instances. It is also capable of running under any Internet Information Services (IIS) web application, the company said.
“IceApple is a post-exploitation framework – that means it does not provide access, but rather is used to further mission objectives after access has already been achieved,” CrowdStrike said. . “OverWatch’s investigations identified 18 distinct modules with functionality that includes discovery, credential harvesting, file and directory deletion, and data exfiltration.”
Adversaries have been observed by OverWatch returning to victimized environments to conduct post-exploitation activities.
To maintain a small digital footprint on an infected host, IceApple uses an in-memory-only framework and is “typical of long-range intelligence-gathering goals and aligns with a targeted state-sponsored mission.” However, CrowdStrike has yet to assign IceApple to a named threat actor.
“IceApple has a number of features to help it evade detection. Detailed analysis of the modules suggests that IceApple was developed by an adversary with deep knowledge of the inner workings of IIS software,” CrowdStrike writes. “One of the modules was even found to exploit undocumented fields that are not intended for use by third-party developers,” the company said.