Microsoft logo

New 'post-exploitation' threat deployed on Microsoft Exchange servers is spotted by researchers

Recently discovered malware that helps attackers capture, move and delete data is aimed at organizations' Microsoft Exchange servers and has the capability to expand into other web applications, researchers at CrowdStrike reported Wednesday.

The threat, dubbed IceApple, is used for "post-exploitation" tasks, the researchers said, meaning that "it does not provide access, rather it is used to further mission objectives after access has already been achieved."

IceApple is stealthy, "maintaining a low forensic footprint on the infected host," CrowdStrike said, and appears to be part of a cyber-espionage campaign. The cybersecurity company did not attribute the malware to any known threat group, but said that "the observed targeted intrusions align with China-nexus, state-sponsored collection requirements."

The malware, first identified in late 2021, is built to target .NET, an open-source software framework spearheaded by Microsoft, CrowdStrike said. So far, the researchers identified 18 distinct modules that are geared toward credential harvesting, file and directory deletion, data exfiltration and other tasks.

"To date, IceApple has been observed being deployed on Microsoft Exchange server instances, however it is capable of running under any Internet Information Services (IIS) web application," CrowdStrike said. IIS is widely used web server software from Microsoft.

Representatives from Microsoft did not immediately respond to comment from The Record.

IceApple so far has been used to target the technology, academic and government sectors, CrowdStrike said. Malware aimed at .NET is common, the researchers said, but IceApple is "highly sophisticated" when compared to others.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Joe Warminsky

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.