1. Home
  2. Software
  3. IceApple

IceApple

IceApple is a modular Internet Information Services (IIS) post-exploitation framework, that has been used since at least 2021 against the technology, academic, and government sectors.[1]

ID: S1022
Type: MALWARE
Platforms: Windows
Contributors: Raphaël Lheureux
Version: 1.1
Created: 27 June 2022
Last Modified: 22 March 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

IceApple can collect files, passwords, and other data from a compromised host.[1]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

IceApple .NET assemblies have used App_Web_ in their file names to appear legitimate.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

The IceApple Result Retriever module can AES encrypt C2 responses.[1]
Enterprise T1620 反射性代码加载

IceApple can use reflective code loading to load .NET assemblies into MSExchangeOWAAppPool on targeted Exchange servers.[1]
Enterprise T1140 反混淆/解码文件或信息

IceApple can use a Base64-encoded AES key to decrypt tasking.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

IceApple can use HTTP GET to request and pull information from C2.[1]
Enterprise T1560 .001 归档收集数据: Archive via Utility

IceApple can encrypt and compress files using Gzip prior to exfiltration.[1]
Enterprise T1003 .002 操作系统凭证转储: Security Account Manager

IceApple's Credential Dumper module can dump encrypted password hashes from SAM registry keys, including HKLM\SAM\SAM\Domains\Account\F and HKLM\SAM\SAM\Domains\Account\Users\*\V.[1]
.004 操作系统凭证转储: LSA Secrets

IceApple's Credential Dumper module can dump LSA secrets from registry keys, including: HKLM\SECURITY\Policy\PolEKList\default, HKLM\SECURITY\Policy\Secrets\*\CurrVal, and HKLM\SECURITY\Policy\Secrets\*\OldVal.[1]
Enterprise T1083 文件和目录发现

The IceApple Directory Lister module can list information about files and directories including creation time, last write time, name, and size.[1]
Enterprise T1505 .004 服务器软件组件: IIS Components

IceApple is an IIS post-exploitation framework, consisting of 18 modules that provide several functionalities.[1]
Enterprise T1552 .002 未加密凭证: Credentials in Registry

IceApple can harvest credentials from local and remote host registries.[1]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

IceApple can use Base64 and "junk" JavaScript code to obfuscate information.[1]
Enterprise T1070 .004 移除指标: File Deletion

IceApple can delete files and directories from targeted systems.[1]
Enterprise T1082 系统信息发现

The IceApple Server Variable Dumper module iterates over all server variables present for the current request and returns them to the adversary.[1]
Enterprise T1016 系统网络配置发现

The IceApple ifconfig module can iterate over all network interfaces on the host and retrieve the name, description, MAC address, DNS suffix, DNS servers, gateways, IPv4 addresses, and subnet masks.[1]
Enterprise T1087 .002 账号发现: Domain Account

The IceApple Active Directory Querier module can perform authenticated requests against an Active Directory server.[1]
Enterprise T1056 .003 输入捕获: Web Portal Capture

The IceApple OWA credential logger can monitor for OWA authentication requests and log the credentials.[1]
Enterprise T1041 通过C2信道渗出

IceApple's Multi File Exfiltrator module can exfiltrate multiple files from a compromised host as an HTTP response over C2.[1]

References

  1. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.