New 'post-exploitation' threat deployed on Microsoft Exchange servers is spotted by researchers
Recently discovered malware that helps attackers capture, move and delete data is aimed at organizations' Microsoft Exchange servers and has the capability to expand into other web applications, researchers at CrowdStrike reported Wednesday.
The threat, dubbed IceApple, is used for "post-exploitation" tasks, the researchers said, meaning that "it does not provide access, rather it is used to further mission objectives after access has already been achieved."
IceApple is stealthy, "maintaining a low forensic footprint on the infected host," CrowdStrike said, and appears to be part of a cyber-espionage campaign. The cybersecurity company did not attribute the malware to any known threat group, but said that "the observed targeted intrusions align with China-nexus, state-sponsored collection requirements."
The malware, first identified in late 2021, is built to target .NET, an open-source software framework spearheaded by Microsoft, CrowdStrike said. So far, the researchers identified 18 distinct modules that are geared toward credential harvesting, file and directory deletion, data exfiltration and other tasks.
"To date, IceApple has been observed being deployed on Microsoft Exchange server instances, however it is capable of running under any Internet Information Services (IIS) web application," CrowdStrike said. IIS is widely used web server software from Microsoft.
CrowdStrike's Falcon OverWatch proactive threat hunting team uncovered a sophisticated .NET-based post-exploitation framework, dubbed IceApple.
— CrowdStrike (@CrowdStrike) May 11, 2022
The emergence of new IceApple modules over the past year indicates that this framework is actively developing. https://t.co/5gkr6CUL4m
Representatives from Microsoft did not immediately respond to comment from The Record.
IceApple so far has been used to target the technology, academic and government sectors, CrowdStrike said. Malware aimed at .NET is common, the researchers said, but IceApple is "highly sophisticated" when compared to others.
Joe Warminsky
is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.