Home Malware Threat hunters expose novel IceApple attack framework

Threat hunters expose novel IceApple attack framework

Source Link

A novel post-exploitation framework that allows the activity of its malicious actors to persist on their targets was exposed Wednesday by Crowdsrike’s Falcon OverWatch threat hunters. Dubbed IceApple, the .NET-based framework has been observed since late 2021 in multiple victim environments in geographically diverse locations with targets spanning the technology, academic and government sectors, according to CrowdStrike’s report.

Up to now, Falcon OverWatch’s threat hunters have found the framework only on Microsoft Exchange instances, but they said it’s capable of running under any Internet Information Services (IIS) web application and advise organizations to make sure their web apps are fully patched to avoid infection.

“While the use of .NET and reflective code in attacks is common, what’s uncommon is how these threat actors are trying to evade detection,” Falcon OverWatch Vice President Param Singh tells CSO. “They’re not using one evasion technique. They’re using six or seven evasion techniques.”

IceApple targets hard-coded Microsoft APIs

CrowdStrike outlined ways by which IceApple is designed to avoid detection. For example, it uses an in-memory-only framework, which contributes to the software maintaining a low forensic footprint in a targeted environment.

The threat hunters also found one of the framework’s modules leveraging undocumented APIs not intended to be used by third-party developers. Singh explains that Microsoft has created two sets of APIs—a user-friendly set typically used by third-party developers and an undocumented set for Microsoft’s developers. “Malware authors and normal developers use the user-friendly APIs,” he says. “What IceApple threat actors are doing is bypassing the user-friendly APIs and going directly to the hard-coded Microsoft APIs. That bypass is evasive because most security vendors tap into only the user-friendly APIs.”

Another evasion technique can be found in how the files used to assemble the framework are named. At first glance, they appear to be typical temporary files generated as part of the process of converting ASPX source files into .NET assemblies for IIS to load. Closer inspection reveals that filenames are not randomly generated as would be expected, and the way the assemblies are loaded falls outside of what is normal for Microsoft Exchange and IIS.

Copyright © 2022 IDG Communications, Inc.

Related Articles

Leave a Comment