Unique IceApple Attack Framework Targets Multiple Sectors

The campaign

• As of May, IceApple includes 18 modules and is under active development, and has been used across several enterprise environments. 
• The malware was discovered in 2021 and has targeted victims across academic, government, and technology sectors. 
• It uses an in-memory-only framework, indicating that the threat actor aims to maintain a low forensic footprint on victims. 
• Its long-running campaign focuses on intelligence gathering and indicates that it is a state-sponsored mission, allegedly, aligning with China-nexus, state-sponsored intrusions. 

Why this matters

• While the intrusions by IceApple observed so far involved loading the malware on Microsoft Exchange servers, it is capable of running on any IIS web application. This makes it a strong threat.
• The various modules that come with the malware enable it to list and eliminate directories and files, steal credentials, write data, exfiltrate sensitive data, and query Active Directory. 
• IceApple’s main motive is to increase its operator’s visibility of the target by gaining access to credentials and pilfering confidential information. 

Malware details

• The malware’s modular design allowed the threat actor to arrange every functionality into its own .NET assembly and reflectively load the functions as required. 
• Reflective code loading is defined as a technique to hide malicious payloads, according to MITRE. It refers to assigning and executing payloads directly in the memory of any running process. 
• Such payloads can comprise compiled binaries, fileless executables, and anonymous files. 
• Reflective code loading can leave security teams completely oblivious to these attacks. While they may notice a web server connecting to a suspicious IP, they won’t know which code triggered the connection. 

The bottom line