Suspected state-sponsored threat actor uses IceApple to target technology, academic and government sectors with deceptive software. Credit: Thinkstock A novel post-exploitation framework that allows the activity of its malicious actors to persist on their targets was exposed Wednesday by Crowdsrike’s Falcon OverWatch threat hunters. Dubbed IceApple, the .NET-based framework has been observed since late 2021 in multiple victim environments in geographically diverse locations with targets spanning the technology, academic and government sectors, according to CrowdStrike’s report.Up to now, Falcon OverWatch’s threat hunters have found the framework only on Microsoft Exchange instances, but they said it’s capable of running under any Internet Information Services (IIS) web application and advise organizations to make sure their web apps are fully patched to avoid infection.“While the use of .NET and reflective code in attacks is common, what’s uncommon is how these threat actors are trying to evade detection,” Falcon OverWatch Vice President Param Singh tells CSO. “They’re not using one evasion technique. They’re using six or seven evasion techniques.” IceApple targets hard-coded Microsoft APIsCrowdStrike outlined ways by which IceApple is designed to avoid detection. For example, it uses an in-memory-only framework, which contributes to the software maintaining a low forensic footprint in a targeted environment. The threat hunters also found one of the framework’s modules leveraging undocumented APIs not intended to be used by third-party developers. Singh explains that Microsoft has created two sets of APIs—a user-friendly set typically used by third-party developers and an undocumented set for Microsoft’s developers. “Malware authors and normal developers use the user-friendly APIs,” he says. “What IceApple threat actors are doing is bypassing the user-friendly APIs and going directly to the hard-coded Microsoft APIs. That bypass is evasive because most security vendors tap into only the user-friendly APIs.”Another evasion technique can be found in how the files used to assemble the framework are named. At first glance, they appear to be typical temporary files generated as part of the process of converting ASPX source files into .NET assemblies for IIS to load. Closer inspection reveals that filenames are not randomly generated as would be expected, and the way the assemblies are loaded falls outside of what is normal for Microsoft Exchange and IIS. Small footprint makes IceApple hard to detectIceApple also uses “chunking” techniques to keep its footprint small to reduce the risk of detection. “Since the framework uses a modular approach, the attackers can break down their code into chunks and only drop the chunks relevant to a particular target environment,” Singh explains. “We found 18 different modules, but some targets may see only seven, because the attacker may be interested in only persistence and not exfiltration.”“By breaking down the big framework into smaller chunks, they can keep the file sizes much smaller,” Singh says. “Many times when a file is labeled as a temporary file and it’s only in kilobytes, you might think it’s really just a temporary file. Only when temporary files are in the megabytes do they become suspicious.”IceApple objectives align with nation-state goalsThe CrowdStrike report also notes that IceApple’s long-running objectives aimed at intelligence collection aligns with a targeted, state-sponsored mission. “We have seen similar combinations of evasion techniques from nation-state threat actors,” Singh says. “Multiple levels of evasion are used by threat actors who want to make sure that they’re not kicked off a machine. They’re persistent and running a long-term campaign.” Related content news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks news FCC proposes BGP security measures Protecting the Border Gateway Protocol is as important as protecting the border. By Gyana Swain May 17, 2024 1 min Regulation Network Security news US AI experts targeted in cyberespionage campaign using SugarGh0st RAT Threat actors use phishing techniques to obtain non-public information about generative artificial intelligence. By Lucian Constantin May 16, 2024 4 mins Phishing Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe