The researchers described in detail a previously undocumented .NET-based post-operation platform called IceApple, which was deployed on Microsoft Exchange instances to facilitate data exploration and filtering.
“Suspected of opposing public communications, IceApple is still under development, with 18 modules used in a number of enterprise environments, as of May 2022,” – CrowdStrike said in a report on Wednesday.
The cybersecurity firm, which discovered sophisticated malware in late 2021, noted its presence in several networks of victims and in geographically diverse locations. Targeted sacrifices cover a wide range of sectors, including technology, science and government.
The set of tools after operation, as the name implies, is not used to provide initial access, but is used to carry out subsequent attacks after they have already hacked the relevant hosts.
IceApple is characterized by the fact that it is a structure in memory that testifies to an attempt by the threat subject to maintain a low footprint and evade detection, which in turn has all the hallmarks of a long-term intelligence gathering mission.
Although the intrusions observed so far included malware downloaded from Microsoft Exchange servers, IceApple can run on any Internet information service (IIS) a web application that makes it a a powerful threat.
The various modules that come with the platform are equipped with malware to list and delete files and directories, write data, steal credentials, query Active Directory and export sensitive data. The timestamps for these components date back to May 2021.
“In essence, IceApple is a post-operational system focused on increasing the visibility of the target to the enemy by obtaining credentials and filtering data,” the researchers concluded.
“IceApple was developed by an adversary with detailed knowledge of the internal workings of IIS. Ensuring regular and complete patches of all web applications is critical to preventing the occurrence of IceApple in your environment.”