CrowdStrike’s Falcon OverWatch proactive threat hunting has uncovered a sophisticated .NET-based post-exploitation framework, dubbed IceApple. The framework has been observed being deployed on Microsoft Exchange server instances, but it is capable of running under any Internet Information Services (IIS) web application.
Suspected to be the work of a state-nexus adversary, IceApple remains under active development, with 18 modules observed in use across a number of enterprise environments, as of May 2022.
This research paper, “IceApple: A Novel Internet Information Services (IIS) Post-Exploitation Framework,” provides:
- Insights into how proactive threat hunting uncovered IceApple
- Information on how IceApple is being used in the wild
- A deep dive into the functionality of all currently discovered modules of this evolving framework as well as information about how these modules interact
Research paper – Download here.