The newly discovered China-nexus APT group, “IcePeony,” has been active since 2023, targeting entities in India, Mauritius, and Vietnam, whose attack chain begins with SQL injection, leading to webshell and backdoor compromise.
A unique custom IIS malware, “IceCache,” is employed in their operations, as an extensive analysis strongly suggests IcePeony’s Chinese origin and operates under challenging conditions.
IcePeony, a Chinese state-sponsored threat actor, has been targeting Asian countries since 2023 using SQL injection attacks to compromise government and academic institutions by installing webshells and malware to steal credentials and exfiltrate data.
In July, an exposed zsh_history file revealed their tactics and tools, including custom tools like IceCache and StaX, as their attacks involve multiple stages, from initial compromise to data exfiltration, often leveraging open-source tools like craXcel and WmiExec.
IcePeony utilizes a customized variant of Stowaway (StaX) for proxying communication with custom encryption by leveraging ProxyChains to execute scripts on compromised systems.
Information gathering is achieved through info.sh, which collects system details, user information, and network configurations, while persistence is established with linux_back.sh, a script that downloads and executes backdoor shells and creates backdoor users.
They also deploy the Diamorphine rootkit, as IcePeony possesses malware targeting IIS (IceCache) and potentially another system (IceEvent), though no usage logs for IceEvent were found.
IceCache and IceEvent, two malicious ELF64 binaries developed in Go, were found to be installed on IIS servers and executed remotely. They were created by the same developer “power” and shared similar code structures and functionalities, including command execution, SOCKS proxy, and file transmission.
The developers continuously improved the malware by adding new commands and features, making it more versatile for intrusion operations, as the majority of infected systems were located in India, suggesting the targeted nature of these attacks.
The Nao_Sec investigation suggests IcePeony is a professional threat actor group likely from China, as they work long hours in the UTC+8 timezone, six days a week, by using a custom malware called IceCache built upon a lesser-known Chinese tool called reGeorgGo.
The actors target governments and educational sectors in India, Mauritius, and Vietnam, which might be related to China’s geopolitical interests, which show a preference for open-source tools developed in Chinese-speaking regions and leave traces of simplified Chinese in their tools.
IcePeony, a new cyber threat group, has been targeting Indian and Vietnamese government websites since 2023 by employing SQL injection attacks to exploit vulnerabilities in publicly accessible web servers, installing web shells or malware to steal credentials.
Suspected to be Chinese state-backed, IcePeony’s activities align with China’s maritime strategy, while ongoing monitoring is crucial to mitigate their ongoing threats.
![Pinterest](https://pinterest.com/pin/create/button/?url=https://cyberpress.org/icepeony-hackers-exploit-web-servers/&media=https://i2.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjth9RfSpqT03bNpkb86SSjby3_cewBWwo4Lq006RjGGC0789KMnDnyY8mRC3RdPDXusRceJf1yuYKl87lg_gO99_GZl6gONZm6GDtxVwdZaBMDQjmKhlLe_91vCgK4LaQCndi5CP-1NHr17aAipo-ywVzWMNBjcuMA5obkOQ0b5lrsvMV7hVdPcQIqn9tr/s16000/IcePeony%20Hackers%20Using%20Webshells%20to%20Attack%20Web%20Servers.webp?w=1200&resize=1200,0&ssl=1&description=The newly discovered China-nexus APT group, "IcePeony," has been active since 2023, targeting entities in India, Mauritius, and Vietnam, whose attack chain begins with SQL injection.){kind=link}