Suspected state-sponsored threat actor uses IceApple to target technology, academic and government sectors with deceptive software. Credit: Thinkstock A novel post-exploitation framework that allows the activity of its malicious actors to persist on their targets was exposed Wednesday by Crowdsrike’s Falcon OverWatch threat hunters. Dubbed IceApple, the .NET-based framework has been observed since late 2021 in multiple victim environments in geographically diverse locations with targets spanning the technology, academic and government sectors, according to CrowdStrike’s report.Up to now, Falcon OverWatch’s threat hunters have found the framework only on Microsoft Exchange instances, but they said it’s capable of running under any Internet Information Services (IIS) web application and advise organizations to make sure their web apps are fully patched to avoid infection.“While the use of .NET and reflective code in attacks is common, what’s uncommon is how these threat actors are trying to evade detection,” Falcon OverWatch Vice President Param Singh tells CSO. “They’re not using one evasion technique. They’re using six or seven evasion techniques.” IceApple targets hard-coded Microsoft APIsCrowdStrike outlined ways by which IceApple is designed to avoid detection. For example, it uses an in-memory-only framework, which contributes to the software maintaining a low forensic footprint in a targeted environment. The threat hunters also found one of the framework’s modules leveraging undocumented APIs not intended to be used by third-party developers. Singh explains that Microsoft has created two sets of APIs—a user-friendly set typically used by third-party developers and an undocumented set for Microsoft’s developers. “Malware authors and normal developers use the user-friendly APIs,” he says. “What IceApple threat actors are doing is bypassing the user-friendly APIs and going directly to the hard-coded Microsoft APIs. That bypass is evasive because most security vendors tap into only the user-friendly APIs.”Another evasion technique can be found in how the files used to assemble the framework are named. At first glance, they appear to be typical temporary files generated as part of the process of converting ASPX source files into .NET assemblies for IIS to load. Closer inspection reveals that filenames are not randomly generated as would be expected, and the way the assemblies are loaded falls outside of what is normal for Microsoft Exchange and IIS. Small footprint makes IceApple hard to detectIceApple also uses “chunking” techniques to keep its footprint small to reduce the risk of detection. “Since the framework uses a modular approach, the attackers can break down their code into chunks and only drop the chunks relevant to a particular target environment,” Singh explains. “We found 18 different modules, but some targets may see only seven, because the attacker may be interested in only persistence and not exfiltration.”“By breaking down the big framework into smaller chunks, they can keep the file sizes much smaller,” Singh says. “Many times when a file is labeled as a temporary file and it’s only in kilobytes, you might think it’s really just a temporary file. Only when temporary files are in the megabytes do they become suspicious.”IceApple objectives align with nation-state goalsThe CrowdStrike report also notes that IceApple’s long-running objectives aimed at intelligence collection aligns with a targeted, state-sponsored mission. “We have seen similar combinations of evasion techniques from nation-state threat actors,” Singh says. “Multiple levels of evasion are used by threat actors who want to make sure that they’re not kicked off a machine. They’re persistent and running a long-term campaign.” Related content news Bug in EmbedAI can allow poisoned data to sneak into your LLMs The vulnerability can be used to deceive a user into inadvertently uploading and integrating incorrect data into the application’s language model. By Shweta Sharma May 31, 2024 3 mins Generative AI Vulnerabilities news OpenAI accuses Russia, China, Iran, and Israel of misusing its GenAI tools for covert Ops OpenAI’s generative AI tools were used to create and post propaganda content on various geo-political and socio-economic issues across social media platforms, the company said. By Gyana Swain May 31, 2024 4 mins Generative AI news Okta alerts customers against new credential-stuffing attacks Hackers are using credential-stuffing to attack endpoints that are used to support the cross-origin authentication feature. By Shweta Sharma May 31, 2024 4 mins Identity and Access Management Vulnerabilities feature 3 reasons users can’t stop making security mistakes — unless you address them Understanding what’s behind employee security mistakes can help CISOs make meaningful adjustments to their security awareness training strategies. By Ariella Brown May 31, 2024 5 mins Data Breach Risk Management PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe