Researchers are warning of a sophisticated post-exploitation framework being deployed on Microsoft Exchange server instances to perform credential harvesting and local reconnaissance on companies across the technology, academic and government sectors.
The .NET-based framework, which researchers call IceApple, contains 18 separate modules that remain under active development in order to evade detection, including capabilities for credential harvesting, file and directory deletion and data exfiltration.
As seen by these modules, which do not provide exploitation or lateral movement capabilities, post-exploitation frameworks like IceApple do not provide initial access, but are instead used to assist with malicious objectives after the attackers have already compromised the system. In some cases, researchers observed attackers using the framework in attacks after repeatedly returning to the victim's environment every ten to fourteen days, likely to ensure that access was continually maintained.
“When used shortly after an adversary gained initial access, IceApple was observed being rapidly deployed to multiple hosts to facilitate credential harvesting from local and remote host registries, credential logging on OWA servers, reconnaissance, and data exfiltration,” said researchers with Crowdstrike’s Falcon OverWatch threat hunting team in a Wednesday analysis. “OverWatch then observed adversaries returning to networks daily to continue their activity.”
While build timestamps on modules used by the framework date back to May 2021, researchers first discovered the framework in late 2021 being loaded on Exchange servers. Researchers said further investigation revealed that the adversary behind the framework has detailed knowledge of how Internet Information Services (IIS) works and is capable of targeting any IIS web application. IIS is Microsoft’s web server software used to host and provide internet-based services to the end user.
The framework was reflectively loaded through precompiled .NET assemblies into an application pool for Exchange servers. Precompiled .NET assemblies have previously been used by adversaries with existing access to a system to load additional functionalities, either via webshells or malicious IIS components.
Researchers said that they regularly discover reflectively loaded .NET assemblies of “various levels of sophistication,” from basic wrappers around Windows utilities (such as WMI) all the way up to modular frameworks with multiple levels of encryption that help to protect data both in transit and between modules. This type of malicious activity can be detected if a reflective .NET load occurs under an application or IIS application pool that does not typically perform this sort of operation, said researchers.
“While many of the assemblies… are only seen in a customer’s environment once and then never again, a few — such as IceApple — continue to be reused on target networks while showing signs that they are in active development,” said researchers.
Researchers said IceApple’s in-memory-only framework shows that the actor is prioritizing a low forensic footprint on targeted companies. In addition, its numerous modules support a wide range of capabilities, including listing and deleting directories, writing data to a file, retrieving the configuration of installed network adapters, retrieving IIS server variables, dumping credentials stored in registry keys on the infected host, executing queries against Microsoft Entra ID and capturing OWA credentials.
“This is typical of long-running objectives aimed at intelligence collection and aligns with a targeted, state-sponsored mission,” said researchers.