Threat hunters expose novel IceApple attack framework

A novel post-exploitation framework that allows the activity of its malicious actors to persist on their targets was exposed Wednesday by Crowdsrike’s Falcon OverWatch threat hunters. Dubbed IceApple, the .NET-based framework has been observed since late 2021 in multiple victim environments in geographically diverse locations with targets spanning the technology, academic and government sectors, according to CrowdStrike’s report.

Up to now, Falcon OverWatch’s threat hunters have found the framework only on Microsoft Exchange instances, but they said it’s capable of running under any Internet Information Services (IIS) web application and advise organizations to make sure their web apps are fully patched to avoid infection.

“While the use of .NET and reflective code in attacks is common, what’s uncommon is how these threat actors are trying to evade detection,” Falcon OverWatch Vice President Param Singh tells CSO. “They’re not using one evasion technique. They’re using six or seven evasion techniques.”

IceApple targets hard-coded Microsoft APIs

CrowdStrike outlined ways by which IceApple is designed to avoid detection. For example, it uses an in-memory-only framework, which contributes to the software maintaining a low forensic footprint in a targeted environment.

The threat hunters also found one of the framework’s modules leveraging undocumented APIs not intended to be used by third-party developers. Singh explains that Microsoft has created two sets of APIs—a user-friendly set typically used by third-party developers and an undocumented set for Microsoft’s developers. “Malware authors and normal developers use the user-friendly APIs,” he says. “What IceApple threat actors are doing is bypassing the user-friendly APIs and going directly to the hard-coded Microsoft APIs. That bypass is evasive because most security vendors tap into only the user-friendly APIs.”

Another evasion technique can be found in how the files used to assemble the framework are named. At first glance, they appear to be typical temporary files generated as part of the process of converting ASPX source files into .NET assemblies for IIS to load. Closer inspection reveals that filenames are not randomly generated as would be expected, and the way the assemblies are loaded falls outside of what is normal for Microsoft Exchange and IIS.

Small footprint makes IceApple hard to detect

IceApple also uses “chunking” techniques to keep its footprint small to reduce the risk of detection. “Since the framework uses a modular approach, the attackers can break down their code into chunks and only drop the chunks relevant to a particular target environment,” Singh explains. “We found 18 different modules, but some targets may see only seven, because the attacker may be interested in only persistence and not exfiltration.”

“By breaking down the big framework into smaller chunks, they can keep the file sizes much smaller,” Singh says. “Many times when a file is labeled as a temporary file and it’s only in kilobytes, you might think it’s really just a temporary file. Only when temporary files are in the megabytes do they become suspicious.”

IceApple objectives align with nation-state goals

The CrowdStrike report also notes that IceApple’s long-running objectives aimed at intelligence collection aligns with a targeted, state-sponsored mission. “We have seen similar combinations of evasion techniques from nation-state threat actors,” Singh says. “Multiple levels of evasion are used by threat actors who want to make sure that they’re not kicked off a machine. They’re persistent and running a long-term campaign.”