Cybersecurity services provider CrowdStrike said today it has identified a sophisticated post-exploitation framework that was first detected in 2021 and that has been observed in multiple victim environments in geographically distinct locations – with intrusions spanning technology, academic, and government sectors.
CrowdStrike’s Falcon Overwatch organization, which functions as the company’s “proactive threat hunting team” said it uncovered a sophisticated .NET-based post-exploitation framework known as IceApple.
IceApple is a framework that CrowdStrike said is still under active development and, to date, has been observed being deployed on Microsoft Exchange server instances. It’s also capable of running under any Internet Information Services (IIS) web application, the company said.
“IceApple is a post-exploitation framework — this means it does not provide access, rather it is used to further mission objectives after access has already been achieved,” said CrowdStrike. “OverWatch’s investigations have identified 18 distinct modules with functionality that includes discovery, credential harvesting, file and directory deletion and data exfiltration.”
Adversaries were observed by OverWatch returning to victim environments to carry out post-exploitation activities.
To maintain a small digital footprint on an infected host, IceApple uses an in-memory-only framework and is “typical of long-running objectives aimed at intelligence collection and aligns with a targeted, state-sponsored mission.” However, CrowdStrike has not attributed IceApple to any named threat actor yet.
“IceApple has a number of features to help it evade detection. Detailed analysis of the modules suggests that IceApple has been developed by an adversary with deep knowledge of the inner workings of IIS software,” writes CrowdStrike. “One of the modules was even found to be leveraging undocumented fields that are not intended to be used by third-party developers,” the company said.