The alleged Chinese, state-sponsored threat has deployed a sophisticated malware system after operating on Microsoft Exchange servers in organizations in the technology, science and government sectors in several regions since at least last fall.
According to CrowdStrike researchers, the campaign aims to gather intelligence and is linked to a targeted state-funded campaign. The security provider is tracking the platform as “IceApple” and described it in this week’s report as made up of 18 separate modules with a number of features that include credential collection, deleting files and directories, and data filtering.
CrowdStrike’s analysis shows that the modules are designed to run only in memory to reduce the amount of malware in an infected system – a tactic often used by opponents in long campaigns. The framework also has several other detection and evasion techniques that suggest that the adversary has in-depth knowledge of IIS (Internet Information Services) web applications. For example, CrowdStrike noted that one of the modules uses undocumented fields in IIS software that are not intended for use by other developers.
During the threat investigation, CrowdStrike researchers saw evidence that opponents repeatedly returned to compromised systems and used IceApple to perform post-operational actions.
Param Singh, vice president of CrowdStrike’s Falcon OverWatch threat service, says IceApple differs from other post-operational tools in that it is constantly being developed, even when actively deployed and used. “Although it has been observed that IceApple deploys on instances of Microsoft Exchange Server, in fact it can run in any IIS web application,” says Singh.
Link to Microsoft .NET
CrowdStrike discovered IceApple during the development of malware detection related to so-called .NET build chops. MIT determines displays code download
as a method that threat subjects use to conceal harmful payloads. It involves the distribution and execution of payloads directly in the memory of the running process. According to MITER, reflexively loaded payloads can include executable binaries, anonymous files, or just fragments of file-free executables. Cod load loading is similar to an injection process, except that the code is loaded into the process’s own memory and not into the memory of another process, MITR noted.
“.NET is the cornerstone of Microsoft’s .NET platform, “says Singh.
CrowdStrike discovered IceApple in late 2021, when the discovery engine it developed was for reflective .NET build loads that run on Exchange servers at the client location. A warning investigation by the company revealed anomalies in several .NET build files, which in turn led to the discovery of the IceApple platform in the system.
An active campaign on cyber attacks
The modular design of IceApple gave the opponent the ability to embed each element of functionality into its own .NET build, and then reflexively load each function only as needed. “If not caught, this technique can leave security defenders completely blind to such attacks,” Singh says. “For example, defenders will see a legitimate application such as a web server that connects to a suspicious IP; however, they do not have the means to find out which code triggers this connection. “
Singh says CrowdStrike has found that IceApple uses several unique tactics to avoid detection. One is the use of undocumented fields in IIS. Another is to merge into the environment using assembly file names that look like regular temporary IIS files. “On closer inspection, filenames aren’t randomly generated, as you might expect, and the way you load assemblies is out of the ordinary for Microsoft Exchange and IIS,” says Singh.
The IceApple framework is designed to filter data in several ways. For example, one of the modules, known as the File Exfiltrator module, allows you to steal a single file from the target host. According to Singh, another module, called a multi-file filter, allows you to encrypt, compress and knock out multiple files.
“Currently, this campaign is active and efficient,” he warns. “But it is unknown at this time how many organizations could be affected by this campaign outside of where CrowdStrike can be seen and those that could be indirectly affected through supply chain or other methods.”