China-based, nation state threat actor has been deploying a sophisticated post-exploitation malware framework on Microsoft Exchange servers at organizations in multiple region, Crowdstrike report emerges.
The goal of the campaign is about gathering intelligence and is tied to a targeted state-sponsored campaign. Crowdstrike tracking the framework as IceApple and made up of 18 separate modules with a range of functions that include credential harvesting, file and directory deletion, and data exfiltration.
CrowdStrike’s analysis shows the modules are designed to run only in-memory to reduce the malware’s footprint on an infected system. The framework also has several other detection-evasion techniques that suggest the adversary has deep knowledge of Internet Information Services (IIS) Web applications.
Researchers saw evidence of the adversaries repeatedly returning to compromised systems and using IceApple to execute post-exploitation activities.
CrowdStrike discovered IceApple while developing detections for malicious activity involving so-called reflective .NET assembly loads. Reflective code loading is like process injection except that code is loaded into a process’s own memory rather than that of another process.
CrowdStrike discovered IceApple in late 2021 when a detection mechanism it was developing for reflective .NET assembly loads triggered on an Exchange Server at a customer location. The company’s investigation of the alert showed anomalies in several .NET assembly files, which in turn led to the discovery of the IceApple framework on the system.
The IceApple framework is designed to exfiltrate data in several ways. For instance, one of the modules, known as the File Exfiltrator module, allows for a single file to be pilfered from the target host. Another module, called the multifile exfiltrator, allows for multiple files to be encrypted, compressed, and exfiltrated.
This campaign is currently active and effective,but it is unknown at the moment how many organizations may have been impacted by this campaign beyond where CrowdStrike has visibility and those that might have been indirectly impacted via supply chain or other methods.