Threat Database Malware IceApple Malware

IceApple Malware

Threat actors have been using a sophisticated post-exploitation malware framework in a series of targeted attacks since at least 2021. The malware is being tracked as IceApple by the cybersecurity researchers at Falcon OverWatch team, the threat hunting division of CrowdStrike.

According to their findings, the cybercriminals have targeted entities across several industry sectors - technology, government, and academic and multiple geographic locations. The likely goal of the attack campaigns appears to be cyberespionage and data theft. IceApple has not been attributed to a specific hacker group but its behavior shows signs typically associated with China-aligned, state-sponsored threat actors.

Technical Details

The IceApple framework is net-based and consists of at least 18 different threatening modules. It has been found deployed on Microsoft Exchange Server instances, but it can be equally as effective when running on Internet Information Services (IIS) web applications. In fact, according to CrowdStrike OverWatch, the cybercriminals who developed the malware must have had extensive and deep knowledge about the inner workings of IIS software.

This knowledge is exemplified in the detection-evasion techniques of IceApple. The different modules are run in memory to reduce the footprint of the threat on breached systems. Furthermore, IceApple blends in with the natural environment of the system by creating assembly files that on first look appear to be legitimately generated by the IIS Web server.

Threatening Modules

The functionality of IceApple is dependent on the deployed modules. Each of the 18 identified modules is designed to perform a particular task, including collecting credentials, manipulating the file system by deleting files and directories, and the exfiltration of confidential and valuable data. In fact, there is a module for single file exfiltration, and a different one capable of encrypting, compressing and uploading multiple files at a time. The security experts warn that IceApple is likely still being under active development, and its capabilities could be expanded even further through the introduction of additional modules.

Trending

Most Viewed

Loading...