Threat hunters expose novel IceApple attack framework

Threat hunters expose novel IceApple attack framework

Suspected state-sponsored threat actor uses IceApple to target technology, academic and government sectors with deceptive software.

Credit: Dreamstime

A novel post-exploitation framework that allows the activity of its malicious actors to persist on their targets has been exposed by Crowdsrike's Falcon OverWatch threat hunters. 

Dubbed IceApple, the .NET-based framework has been observed since late 2021 in multiple victim environments in geographically diverse locations with targets spanning the technology, academic and government sectors, according to CrowdStrike’s report.

Up to now, Falcon OverWatch's threat hunters have found the framework only on Microsoft Exchange instances, but they said it's capable of running under any Internet Information Services (IIS) web application and advise organisations to make sure their web apps are fully patched to avoid infection.

"While the use of .NET and reflective code in attacks is common, what's uncommon is how these threat actors are trying to evade detection," Falcon OverWatch Vice President Param Singh told CSO. "They're not using one evasion technique. They're using six or seven evasion techniques."

IceApple targets hard-coded Microsoft APIs

CrowdStrike outlined ways by which IceApple is designed to avoid detection. For example, it uses an in-memory-only framework, which contributes to the software maintaining a low forensic footprint in a targeted environment.

The threat hunters also found one of the framework's modules leveraging undocumented APIs not intended to be used by third-party developers. Singh explains that Microsoft has created two sets of APIs—a user-friendly set typically used by third-party developers and an undocumented set for Microsoft's developers. 

"Malware authors and normal developers use the user-friendly APIs," he said. "What IceApple threat actors are doing is bypassing the user-friendly APIs and going directly to the hard-coded Microsoft APIs. That bypass is evasive because most security vendors tap into only the user-friendly APIs."

Another evasion technique can be found in how the files used to assemble the framework are named. At first glance, they appear to be typical temporary files generated as part of the process of converting ASPX source files into .NET assemblies for IIS to load. 

Closer inspection reveals that filenames are not randomly generated as would be expected, and the way the assemblies are loaded falls outside of what is normal for Microsoft Exchange and IIS.

Small footprint makes IceApple hard to detect

IceApple also uses "chunking" techniques to keep its footprint small to reduce the risk of detection. 

"Since the framework uses a modular approach, the attackers can break down their code into chunks and only drop the chunks relevant to a particular target environment," Singh explained. "We found 18 different modules, but some targets may see only seven, because the attacker may be interested in only persistence and not exfiltration."

"By breaking down the big framework into smaller chunks, they can keep the file sizes much smaller," Singh said. "Many times when a file is labeled as a temporary file and it's only in kilobytes, you might think it's really just a temporary file. Only when temporary files are in the megabytes do they become suspicious."

IceApple objectives align with nation-state goals

The CrowdStrike report also notes that IceApple's long-running objectives aimed at intelligence collection aligns with a targeted, state-sponsored mission. 

"We have seen similar combinations of evasion techniques from nation-state threat actors," Singh said. "Multiple levels of evasion are used by threat actors who want to make sure that they're not kicked off a machine. They're persistent and running a long-term campaign."

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags CrowdStrikecyber security



Join key decision-makers within Environmental, Social, and Governance (ESG) that have the power to affect real change and drive sustainable practices. SustainTech will bridge the gap between ambition and tangible action, promoting strategies that attendees can use in their day-to-day operations within their business.

EDGE 2023

EDGE is the leading technology conference for business leaders in Australia and New Zealand, built on the foundations of collaboration, education and advancement.


ARN has celebrated gender diversity and recognised female excellence across the Australian tech channel since first launching WIICTA in 2012, acknowledging the achievements of a talented group of female front runners who have become influential figures across the local industry.

ARN Innovation Awards 2023

Innovation Awards is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in Australia.

Show Comments