May 17, 2022

IceApple Post-Exploitation Toolset

Industry: Academic, Government, Technology | Level: Strategic | Source: CrowdStrike

An Internet Information Services (IIS) post-exploitation framework named IceApple, was discovered by the CrowdStrike Falcon OverWatch team in late 2021. IceApple has mainly been observed to be deployed on Microsoft Exchange servers, however the threat is applicable to any Internet Information Services (IIS) web application. Deployment of this toolset has been observed in multiple verticles for academics, government, and technology and in impacted organizations in “geographically distinct locations.” The framework works in-memory, identified with 18 modules at a minimum and likely in development. IceApple maintains a low forensic footprint likely to enable long-term espionage and given this style of operation could align with a Chinese state-sponsored actor. Usage of the tool, varied based on the threat actor’s progress in a victim’s network, as stated by CrowdStrike “IceApple was observed being rapidly deployed to multiple hosts to facilitate credential harvesting from local and remote host registries, credential logging on OWA servers, reconnaissance, and data exfiltration. OverWatch then observed adversaries returning to networks daily to continue their activity.” Whilst, maintaining a reliable foothold in the target’s environment, attackers would return 10 to 14 days later to ensure access is still available. Recommended actions to defend against IceApple is to ensure web applications are updated and patched.