A mysterious adversary snoops around government and academia without leaving a trace


A sophisticated post-exploitation framework has been used against the government, academia, and technology sectors. Observed intrusions align with China-nexus state-sponsored activity, but researchers do not rush with attribution.

CrowdStrike’s Falcon OverWatch team has uncovered a new, sophisticated post-exploitation framework dubbed IceApple.

Since its first detection late last year, IceApple has been observed in different locations, lurking in technology, academic, and government sectors’ systems.

ADVERTISEMENT

Post-exploitation framework does not provide access to the systems. Instead, it is used to further mission objectives. Researchers identified at least 18 distinct IceApple modules capable of discovery, credential harvesting, file and directory deletion, and data exfiltration.

According to CrowdStrike, adversaries have repeatedly returned to victim environments to carry out their post-exploitation activities.

IceApple maintains what researchers call a low forensic footprint on the infected host.

“This is typical of long-running objectives aimed at intelligence collection and aligns with a targeted, state-sponsored mission,” CrowdStrike said.

The observed targeted intrusion aligns with China-nexus state-sponsored activity, yet IceApple has not been attributed to a named threat actor yet.

“To date, IceApple has been observed being deployed on Microsoft Exchange server instances, however, it is capable of running under any Internet Information Services (IIS) web application,” the company said, adding that fully patching web applications is a must.

IceApple has a number of features to blend into the victim’s environment and evade detection. CrowdStrike suggests the framework has been developed by an adversary with deep knowledge of the inner workings of IIS software.

According to the latest CrowdStrike’s Threat Report, China emerged as a leader in vulnerability exploitation.

ADVERTISEMENT

“For years, Chinese actors relied on exploits that required user interaction, whether by opening malicious documents or other files attached to emails or visiting websites hosting malicious code. In contrast, exploits deployed by these actors in 2021 focused heavily on vulnerabilities in internet-facing devices or services,” the report reads.

Last year, Chinese actors used vulnerabilities in Microsoft Exchange and continued to exploit internet-routing products, including VPNs.