Adlumin recently discovered a new malware named PowerDrop, designed to target the aerospace industry in the U.S. This malware, based on PowerShell, has been attributed to an unidentified threat actor. It employs sophisticated tactics such as deception, encoding, and encryption to avoid detection. Researchers came across this malware in May when it was discovered within an undisclosed domestic aerospace defense contractor.
Malware analysis
Researchers have determined that the malware consists of a novel combination of PowerShell and Windows Management Instrumentation (WMI) as a RAT with persistence.
The malware operates by sending Internet Control Message Protocol (ICMP) echo request messages, serving as a trigger for its C2 functionality.
Additionally, similar ICMP ping techniques are utilized for data exfiltration purposes.
In summary, the analysis suggests that the malware's primary objective is to execute remote commands on targeted networks after successfully infiltrating, executing, and maintaining persistence within servers.
Why this matters
The recent attack highlights the advancement of living-off-the-land techniques employed by threat actors.
While the use of PowerShell for remote access and WMI-based persistence of PowerShell scripts, as well as ICMP triggering and tunneling, are not new concepts, this malware presents a unique combination that hasn't been observed previously.
It occupies a position between basic, off-the-shelf threats and the sophisticated tactics typically employed by APT groups.
Although the fundamental structure of the threat itself is not exceptionally advanced, its capability to camouflage suspicious actions and circumvent endpoint defenses suggests the involvement of more proficient threat actors.
Latest PowerShell threats
The Vice Society ransomware gang developed a sophisticated PowerShell script to automate data theft from compromised networks. The script employs living-off-the-land tools to avoid detection by security software, making it challenging for defenders to thwart their attacks.
In April, threat actors were found using password-protected WinRAR self-extracting (SFX) archives to install persistent backdoors in target systems undetected. The use of customized SFX archives allows them to run PowerShell and malicious scripts without triggering the security agent.
The bottom line
Adlumin cautions individuals within the aerospace defense industry to maintain a state of heightened awareness regarding PowerDrop. The company suggests conducting vulnerability scans on Windows systems and remaining vigilant for any unusual pinging activity originating from their networks toward external sources. The PowerDrop malware exemplifies the potency of blending traditional methods with innovative techniques in the contemporary landscape.