IcePeony Hackers Exploiting Public Web Servers To Inject Webshells

IcePeony, a China-nexus APT group, has been active since 2023, targeting India, Mauritius, and Vietnam by exploiting SQL injection vulnerabilities to compromise systems using webshells and backdoors, leveraging a custom IIS malware called IceCache.

The attackers accidentally exposed a server containing sensitive data, including a zsh_history file that revealed their detailed attack timeline and techniques.

They used aliases to simplify commands and access help information, such as “hPass” to access Mimikatz tutorials.

They used SQL injection and IceCache, compromised government websites, installed webshells, and exfiltrated sensitive domain user information.

They also employed tools like StaX, Diamorphine, craXcel, and WmiExec to expand their attack surface and maintain persistence.

Join ANY.RUN's FREE webinar on How to Improve Threat Investigations on Oct 23 - Register Here 

IcePeony’s StaX tool is a customized version of Stowaway. This high-performance proxy tool encrypts communication targets using Custom Base64 and AES for active mode, providing enhanced security for network traffic.

An attacker leveraged ProxyChains to execute malicious scripts “info.sh” and “linux_back.sh” on victim machines, which harvested system information, established persistence, and deployed a rootkit named Diamorphine. 

The IcePeony server hosted IceCache, malware targeting IIS servers used to attack the attack surface server. The related malware IceEvent, though not found in any logs, was likely used to compromise an offline computer.

IceCache, a Go-based ELF64 binary, is a malicious tool designed for intrusion operations. It is installed on IIS servers and offers various functionalities, such as command execution, file transfer, and proxy services. 

The malware’s developers have been actively improving its capabilities over time, as evidenced by the increasing number of commands and the evolution of its functionality.

IceEvent, a simple passive-mode backdoor, was discovered in India. It is installed as a service and executes commands through sockets and files. 

A and B were identified, with A focusing on reading files and executing processes and B on uploading and downloading files. All submissions were from India, highlighting the potential for domestic cyber threats.

The analysis by Nao_Sec reveals that IceEvent and IceCache share similar code, XOR keys, and command execution processes, suggesting a common developer and source code.

The malware’s communication data is easily decodable due to its reliance solely on XOR encryption.

The investigation revealed that IcePeony likely operates under a 996 working-hour system in the UTC+8 time zone.

Their consistent activity patterns, including extended workdays and limited weekends, suggest organized, professional operations rather than personal activities.

While code comments, malware origin, target selection, and infrastructure suggest IcePeony is a Chinese threat actor group likely state-sponsored, targeting governments and educational sectors in India, Mauritius, and Vietnam. 

IcePeony, a new Chinese cyber threat group, has been targeting Indian government websites since 2023. It uses SQL injection attacks to install web shells and steal credentials.

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide (PDF)