An unknown threat actor has been found targeting the US aerospace defense industry with a new PowerShell malware script, which uses advanced techniques to evade detection, according to a report from cybersecurity firm Adlumin.
Dubbed 'PowerDrop,' the malware was discovered in the network of an unnamed domestic aerospace defense contractor in May 2023. The analysis showed that PowerDrop “was made up of a new PowerShell and Windows Management Instrumentation (WMI) persisted Remote Access Tool (RAT),” and was used to run remote commands after hackers gained initial access, execution, and persistence into servers.
It’s currently unclear how the intruders gained initial access to the victim’s network, but the team believes that the malware is likely using a previously known exploit to gain initial access such as a phishing email or drive-by download and execution through wscript.exe.
Although the researchers have yet to identify the threat actor behind the malware, they suspect that the attack was likely carried out by a nation-state hacker group.
“The usage of PowerShell for remote access is not new, nor is WMI-based persistence of PowerShell scripts or ICMP triggering and tunneling, but what is novel about this malware is that another code like it hasn’t surfaced before, and it straddles the line between a basic “off-the-shelf-threat” and the advanced tactics used by Advanced Persistent Threat (APTs) Groups,” the research team noted.
PowerDrop is a PowerShell script executed by the Windows Management Instrumentation (WMI) service and encoded using Base64 to function as a backdoor or RAT.
It was found that the malicious script was executed using previously registered WMI event filters and consumers named 'SystemPowerManager,' created during the installation of the implant using the 'wmic.exe' command-line tool.
“PowerDrop clearly shows that mixing old tactics with new techniques proves a powerful combination in today’s age,” said Will Ledesma, Director of Adlumin’s Cyber Security Operation Center.
