Stealthy, “highly sophisticated” post-exploitation framework used for data exfiltration likely the work of a state-sponsored threat actor.

In late 2021, security researchers on CrowdStrike’s Falcon OverWatch team first detected a modular exploit targeting Microsoft Exchange Servers. Dubbed IceApple, the .NET-based framework has been observed in “distinct locations” and primarily directed toward entities in government, academic and technology sectors.

One of the modules was even found to be leveraging undocumented fields that are not intended to be used by third-party developers.”—OverWatch Team

Modular by Design

The term post-exploitation refers to actions that take place after access to the host is gained. Once compromised, malware is deployed and used for follow-on attacks. According to the OverWatch team, there is evidence suggesting threat actors repeatedly returned to the infected systems. Reconnaissance, data exfiltration, file and directory deletion and credential harvesting are among 18 of the modules researchers have discovered.

To date, the primary target of IceApple has been Microsoft Exchange Servers but it is capable of running on other applications under Microsoft’s Internet Information Services (IIS) web server.

IceApple exploit framework targeting Microsoft Exchange servers

IceApple has a number of features to help it evade detection“—OverWatch Team

Designed with a Low Forensic Footprint

IceApple utilizes several methods to avoid detection, including an in-memory-only framework and posing as temporary files generated by IIS when converting ASPX into .NET assemblies.

While CrowdStrike has not identified the source of the exploit, they attribute it to “an adversary with deep knowledge of the inner workings of IIS software”. They also note that “the observed targeted intrusions align with China-nexus, state-sponsored collection requirements.”

Microsoft has yet to release an advisory for IceApple. Until then, ensure all web applications are fully patched, and read our guide on protecting your Microsoft Exchange server.

Be sure to visit Messageware Security Products for Microsoft Exchange Server. All enterprises with Exchange Servers should add security that provides on-premise systems with logon intelligence and security controls protecting the most widely used Exchange Server services, including OWA / Outlook Web, ECP, Autodiscover, ActiveSync, EWS, OAB, MAPI, Outlook Anywhere. Critical additions for all enterprises including those who believe they are protected by multi-factor authentication (MFA/2FA).