A mysterious adversary snoops around government and academia without leaving a trace

A sophisticated post-exploitation framework has been used against the government, academia, and technology sectors. Observed intrusions align with China-nexus state-sponsored activity, but researchers do not rush with attribution.

CrowdStrike’s Falcon OverWatch team has uncovered a new, sophisticated post-exploitation framework dubbed IceApple.

Since its first detection late last year, IceApple has been observed in different locations, lurking in technology, academic, and government sectors’ systems.

Post-exploitation framework does not provide access to the systems. Instead, it is used to further mission objectives. Researchers identified at least 18 distinct IceApple modules capable of discovery, credential harvesting, file and directory deletion, and data exfiltration.

According to CrowdStrike, adversaries have repeatedly returned to victim environments to carry out their post-exploitation activities.

IceApple maintains what researchers call a low forensic footprint on the infected host.

“This is typical of long-running objectives aimed at intelligence collection and aligns with a targeted, state-sponsored mission,” CrowdStrike said.

The observed targeted intrusion aligns with China-nexus state-sponsored activity, yet IceApple has not been attributed to a named threat actor yet.

“To date, IceApple has been observed being deployed on Microsoft Exchange server instances, however, it is capable of running under any Internet Information Services (IIS) web application,” the company said, adding that fully patching web applications is a must.

IceApple has a number of features to blend into the victim’s environment and evade detection. CrowdStrike suggests the framework has been developed by an adversary with deep knowledge of the inner workings of IIS software.

According to the latest CrowdStrike’s Threat Report, China emerged as a leader in vulnerability exploitation.

“For years, Chinese actors relied on exploits that required user interaction, whether by opening malicious documents or other files attached to emails or visiting websites hosting malicious code. In contrast, exploits deployed by these actors in 2021 focused heavily on vulnerabilities in internet-facing devices or services,” the report reads.

Last year, Chinese actors used vulnerabilities in Microsoft Exchange and continued to exploit internet-routing products, including VPNs.

More from Cybernews:

Hackers take down Russia's alternative to YouTube, Rutube

A study in cyber: why colleges must do more to fend off ransom gangs

Russia is planning cyberattacks on countries that support Ukraine, GCHQ director warns

Russia confirmed to be behind cyberattacks on satellite comms, wind farms in Europe

Hyper-personalized customer experience for privacy: a trade-off we’re willing to make?

Race to quantum future: have you mounted a horse or a goat?

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked