Posted on May 15, 2022 at 12:01 PM

Hackers Exploit Framework On Compromised MS Exchange Servers

Security researchers have discovered a new post-exploitation framework dubbed IceApple and deployed it on Microsoft Exchange servers across several locations. According to the researchers, IceApple is described as a “highly sophisticated” malware and its developer prefers maintaining its cover for a very long time in targeted attacks. The highly technical tools used to distribute the malware make it very dangerous and difficult to secure against.

The Framework Runs On Microsoft Exchange And IIS

Researchers at the Falcon OverWatch team, who discovered the malware, said the threat is still under active development despite its already high potency. The malware was discovered in late 2021 and has been discovered in the wild.

The hackers’ initial point of attack is to gain access to the network of organizations in different sectors, including government, technology, and academic sectors.

The researchers also noted that the IceApple malware has been deployed on the Microsoft Exchange Server instances, although it is capable of running under Internet Information Services (IIS) web applications.

It uses the .Net-based framework, which comes with up to 18 modules, with each performing a specific task that allows the threat actor to discover vital machines on the network. Once the targeted machine has been identified, it enables the hacker to delete files, steal credentials, or exfiltrate valuable data.

IceApple Suspected To Be A State-Sponsored Adversary

The Security researchers also noted that the activities of the IceApple, as observed, align with the activities normally seen in attacks from state-sponsored threat actors.

Although it is not certain that the hackers are backed by a government or a particular threat group, the researchers say the actions of this threat actor align with the actions of Chinese-sponsored hackers. The types of tools used, level of sophistication, and the type of organizations they target have close ties with what the Chinese-sponsored actors are doing.

Additionally, the developers of the IceApple malware have a full understanding of the IIS software, which makes them highly knowledgeable and sophisticated.

“Detailed analysis of the modules suggests that IceApple has been developed by an adversary with deep knowledge of the inner workings of IIS software.” the researchers stated.

A good indication is the presence of a module that utilizes undisclosed fields, which were not designed for third-party developers.

The Threat Actors Take Additional Efforts To Stay Hidden

Another feature pointed out by the security researchers is the fact that the hackers use complex procedures and take their time to stay hidden. They can plant the malware into the targeted system and remain undetected for a very long time. This gives them enough time to steal a lot of data and exfiltrate as many files as possible while hiding. They also take extra efforts to stay hidden, which include blending into the compromised environment via the use of assembly files that seem to be generated by Microsoft’s IIS web server.

Initially, they may look like they were generated temporarily by the IIS web server as a process of transferring ASPC source files into .NET files to load by IIS. But on a clear observation, they were not designed randomly and not loaded in a way that is typical of IIS and Microsoft Exchange. Their designs and loading methods are quite different. The researchers observed the difference and found other features that make them specifically designed for threat actors.

CrowdStrike’s OverWatch team says it was possible to discover the activities of IceApple using CrowdStrike’s cloud-based security solution. Once deployed, it triggered an alert at the Microsoft OWA deployment of a new customer, which was targeted. However, the researchers warned that they may not have discovered all the modules used by IceAppple, as other modules may be involved.

IceApple Has Impacted Multiple Victim Environments

The researchers did not say how many victims have been affected by the IceApple malware, but the security firm said it discovered intrusions at multiple victim environments. They also noted that the developers could enhance the framework as a way of adapting to any new detection technology.

This is typical of any threat actor that wants to keep its malware hidden in an affected system for a long time. In most cases, they prioritize the secrecy of their operation over anything else. That’s because it may take them a long time to develop another malware module that may not be discovered easily by security software. The OverWatch researchers say in the case of the IceApple developers, they have taken their time to make sure that their activities are hidden.