New ‘post-exploitation’ threat deployed on Microsoft Exchange servers is spotted by researchers
Recently discovered malware that helps attackers capture, move and delete data is aimed at organizations’ Microsoft Exchange servers and has the capability to expand into other web applications, researchers at CrowdStrike reported Wednesday.
The threat, dubbed IceApple, is used for “post-exploitation” tasks, the researchers said, meaning that “it does not provide access, rather it is used to further mission objectives after access has already been achieved.”
IceApple is stealthy, “maintaining a low forensic footprint on the infected host,” CrowdStrike said, and appears to be part of a cyber-espionage campaign. The cybersecurity company did not attribute the malware to any known threat group, but said that “the observed targeted intrusions align with China-nexus, state-sponsored collection requirements.”
The malware, first identified in late 2021, is built to target .NET, an open-source software framework spearheaded by Microsoft, CrowdStrike said. So far, the researchers identified 18 distinct modules that are geared toward credential harvesting, file and directory deletion, data exfiltration and other tasks.
“To date, IceApple has been observed being deployed on Microsoft Exchange server instances, however it is capable of running under any Internet Information Services (IIS) web application,” CrowdStrike said. IIS is widely used web server software from Microsoft.
Representatives from Microsoft did not immediately respond to comment from The Record.
IceApple so far has been used to target the technology, academic and government sectors, CrowdStrike said. Malware aimed at .NET is common, the researchers said, but IceApple is “highly sophisticated” when compared to others.