IceApple, a new .NET-based post-exploitation framework for hacking Microsoft Exchange email servers

Cybersecurity specialists reported the detection of a new post-exploitation framework that would allow the compromise of Microsoft Exchange servers. Identified as IceApple, this framework was developed by threat actors capable of keeping a low profile while deploying long-term attacks.

This framework was discovered at the end of 2021 by a specialized CrowdStrike team and receives continuous development. According to the researchers, IceApple is deployed after hackers gain initial access to the compromised networks, counting on victims in the world of technology, government entities and academic institutions.

IceApple has been deployed on instances of Microsoft Exchange Server, but could also be run on Internet Information Services (IIS) web applications. The framework is based on .NET and features at least 18 modules, each for a specific task that would allow attackers to discover vulnerable devices on an attacked network, as well as facilitate the theft of credentials and sensitive information, and file deletion.

CrowdStrike experts mention that IceApple activity may be related to attacks deployed by nation states. Although IceApple has not been attributed to any specific threat actor, many anticipate that this tool was developed by China.

Moreover, the researchers believe that the threat actors behind IceApple have solid knowledge of IIS software, proof of this is the presence of a module that takes advantage of undocumented fields, which were not for third-party developers: “Detailed analysis of the modules suggests that IceApple has been developed by an adversary with a deep understanding of the inner workings of IIS software,” add the experts.

In addition, IceApple modules run in the memory of the affected system, minimizing its trace of activity. Other efforts to keep a low profile include blending in with the compromised environment by creating files apparently generated by Microsoft’s IIS web server.

CrowdStrike has not been able to determine the exact number of victims of the attack, although they do not rule out that this threat may grow in the coming weeks. In this regard, the researchers recommend installing the latest versions of any of the web applications used by public and private organizations, improving the system’s defenses against this framework.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.