Wednesday, 07 June 2023 13:31

New PowerShell Malware Dubbed PowerDrop used to Target US Aerospace Industry

Written by

Reading time is around minutes.

It is Wednesday, so it is about time to talk about a new strain of malware. In this case one that leverages Microsoft’s PowerShell to do its dirty work. Primarily a post-exploitation tool, PowerDrop is leveraged after access is obtained by other means. According to researchers at Adlumin, the tool also seems to focus on information gathering/theft. The attack also used WMI (Windows Management instrumentation) to execute the PowerShell commands which could be a move to living off the land.

PowerDrop is not a specifically sophisticated tool although it does use standard ICMP (Internet Control Message Protocol) echo requests as a beacon back to C2 servers (Command and Control). When the C2 server gets a beacon, it responds with encrypted commands. These commands are decrypted and executed on the host (via a PowerShell call from WMI). Once executed PowerDrop then uses another ICMP echo request to exfiltrate the information in 128-byte chunks. This latter is to avoid triggering network monitoring for data exfiltration and is fairly common in terms of exfiltration techniques.

Again, PowerDrop seems to be relatively common in what it is doing and how it operates. The interesting part of it all is that the methods of detection evasion show a good working knowledge of how defenses are deployed in an environment. The use of small packets to avoid network monitors, the use of WMI to avoid child process detection rules, and even the obfuscated and encrypted commands show that this threat group is aware of best practices for security. They have created a tool that exists just outside of those practices and so were able to remain undetected for a while.

Again, we see that attackers know the normal security practices well and are quite capable of developing simple techniques and tools that are good enough to get in and remain hidden by those common security practices. Something must change in the way security is “done”, we cannot continue to do what has always been done and expect anything other than failure. Cybersecurity needs to become more than chasing numbers and metrics. It must become more proactive and dynamic to meet the evolving threat landscape.

Read 573 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.