Researchers exposed a new and highly sophisticated post-exploitation framework called IceApple. This newly discovered malicious Internet Information Services (IIS) framework has been created by a threat actor who is competent with the ins and outs of hacking.
The new framework includes nearly 20 modules under active development and has been utilised against several targets for the last few months. The researchers discovered the malware in 2021 and have targeted different sectors such as government, technology, and academia.
IceApple uses an in-memory-only framework, implying that the threat actors aim to maintain a low trace rate on targeted systems. This campaign is a long-running state-sponsored espionage mission aligned with the China-nexus breach.
The IceApple framework can execute attacks on different systems.
Although the recent attacks by IceApple have mainly been for Microsoft Exchange servers, they can also run on any IIS web application. This function makes the newly discovered framework a severe threat to many.
The attached malware modules enable it to list and remove directories and files, write data, exfiltrate critical information, query Active Directory and steal credentials. The framework’s primary objective is to increase its operator’s visibility of the target by acquiring access to certificates and stealing information.
In addition, the malware’s modular design enabled the operators to arrange every functionality into its [.]NET assembly and reflective load that the function requires. According to a separate researcher, reflective code loading is a method to hide malicious payloads. It assigns and executes loads directly in the memory of any operational process.
The payloads can contain fileless executables, anonymous files, and compiled binaries. Reflective code loading can also leave security researchers entirely oblivious to these attacks. Even though the researcher will notice a web server connected to a sketchy IP, they will still be unable to detect which code is triggered by the threat actors.
IceApple framework is a potential threat and employs novel strategies to bypass security detections. Furthermore, it can rob data in diverse ways. The campaign is currently active and seems to be efficient.
Researchers have not indicated how many victims are affected by this framework. Users must update all web apps regularly to prevent IceApple from affecting their network.