7 June 2023

New PowerDrop malware targets US aerospace defense industry


New PowerDrop malware targets US aerospace defense industry

An unknown threat actor has been found targeting the US aerospace defense industry with a new PowerShell malware script, which uses advanced techniques to evade detection, according to a report from cybersecurity firm Adlumin.

Dubbed 'PowerDrop,' the malware was discovered in the network of an unnamed domestic aerospace defense contractor in May 2023. The analysis showed that PowerDrop “was made up of a new PowerShell and Windows Management Instrumentation (WMI) persisted Remote Access Tool (RAT),” and was used to run remote commands after hackers gained initial access, execution, and persistence into servers.

It’s currently unclear how the intruders gained initial access to the victim’s network, but the team believes that the malware is likely using a previously known exploit to gain initial access such as a phishing email or drive-by download and execution through wscript.exe.

Although the researchers have yet to identify the threat actor behind the malware, they suspect that the attack was likely carried out by a nation-state hacker group.

“The usage of PowerShell for remote access is not new, nor is WMI-based persistence of PowerShell scripts or ICMP triggering and tunneling, but what is novel about this malware is that another code like it hasn’t surfaced before, and it straddles the line between a basic “off-the-shelf-threat” and the advanced tactics used by Advanced Persistent Threat (APTs) Groups,” the research team noted.

PowerDrop is a PowerShell script executed by the Windows Management Instrumentation (WMI) service and encoded using Base64 to function as a backdoor or RAT.

It was found that the malicious script was executed using previously registered WMI event filters and consumers named 'SystemPowerManager,' created during the installation of the implant using the 'wmic.exe' command-line tool.

“PowerDrop clearly shows that mixing old tactics with new techniques proves a powerful combination in today’s age,” said Will Ledesma, Director of Adlumin’s Cyber Security Operation Center.

Back to the list

Latest Posts

Cyber Security Week in Review: April 12, 2024

Cyber Security Week in Review: April 12, 2024

In brief: Microsoft and Palo Alto fix zero-days, Sisense suffers data breach, and more.
12 April 2024
TA547 threat actor targets German orgs with Rhadamanthys info-stealer

TA547 threat actor targets German orgs with Rhadamanthys info-stealer

The group appears to have incorporated LLM-generated PowerShell scripts in their attacks.
11 April 2024
Apple enhances spyware threat notifications

Apple enhances spyware threat notifications

The company will alert users who are individually targeted by mercenary spyware attacks.
11 April 2024