PowerDrop malware exploits PowerShell Script for C&C attacks against US aerospace sector
A new malicious PowerShell script called PowerDrop targeting the U.S. aerospace defense industry has been discovered by Adlumin Threat Research. Using advanced techniques to evade detection, the novel malware straddles the line between ‘basic off-the-shelf threat’ and tactics used by APT (advanced persistent threat) groups. The malware is used to run remote commands against victim networks after gaining initial access, execution, and persistence into servers.
“‘PowerDrop’ is the name Adlumin researchers have given the malware they found implanted in the network of a domestic aerospace defense contractor in May 2023. The name is derived from the tool, Windows PowerShell, used to concoct the script, and “Drop” from the DROP (DRP) string used in the code for padding,” researchers wrote in a blog post this week. “The threat was detected by Adlumin’s machine learning-based algorithms which analyze PowerShell commands and arguments at run-time.”
The post added that upon reverse engineering, Adlumin’s team found that the malware was made up of a new PowerShell and Windows Management Instrumentation (WMI) persisted Remote Access Tool (RAT). “The code sends Internet Control Message Protocol (ICMP) echo request messages as a trigger for the malware’s command-and-control (C2), along with similar ICMP ping usage for data exfiltration.”
The blog also outlines that the usage of PowerShell for remote access is not new, nor is WMI-based persistence of PowerShell scripts or ICMP triggering and tunneling, but “what is novel about this malware is that another code like it hasn’t surfaced before, and it straddles the line between a basic ‘off-the-shelf-threat’ and the advanced tactics used by Advanced Persistent Threat (APTs) Groups.”
Adlumin has not yet identified the threat actor behind the malware but suspects nation-state aggressors, as the discovery comes at a time of increased R&D into missile programs as the war in Ukraine continues, the post added.
“PowerDrop clearly shows that mixing old tactics with new techniques proves a powerful combination in today’s age,” according to Will Ledesma, director of Adlumin’s cybersecurity operation center. “It highlights the importance of having dedicated 24/7 cybersecurity teams within any operational landscape.”
“This latest attack shows the evolution of ‘living off the land’ tactics by threat actors,” Mark Sangster, Adlumin’s vice president of strategy, said. “While the core DNA of the threat is not particularly sophisticated, its ability to obfuscate suspicious activity and evade detection by endpoint defenses smacks of more sophisticated threat actors. The fact it targeted an aerospace contractor only confirms the likelihood of nation-state aggressors,” Sangster added.
Kevin O’Connor, who heads Adlumin’s Threat Research Team, said that the malware uses triggers and exfil patterns which are flagged by intrusion detection systems, but that the malware also appears to be a ‘custom’ development, using advanced techniques to evade detection, such as deception, encoding, and encryption.
“Adlumin’s Threat Research Team believes this malware presents a real threat as it has been able to evade detection by some commonly deployed EDR software, likely due to its practice of encoding the PowerShell command line arguments and the use of WMI for persistence,” O’Connor added.
Adlumin analyzed the PowerShell process execution context to identify that the malicious PowerShell script/implant was being executed by the WMI service using previously registered WMI event filters and consumers.
“The WMI event filter and consumer registrations were created by the malware during the initial installation of the PowerDrop implant,” the post identified. “The WMI event filter and consumer registrations are created using the WMI command line tool ‘wmic[dot]exe’ and are executed using the ‘wmic[dot]exe’ command line tool.”
The team was unable to identify the source of the WMI event filter and consumer registrations, “but we believe that the malware is likely using a previously known exploit to gain initial access to the victim’s computer such as a phishing email or drive-by download and execution through wscript.exe and that the command line filter and consumer registrations are created by the malware during the initial installation of the PowerDrop implant through a wmic[dot]exe command line execution.”
Adlumin produced Snort and SIGMA detections to help identify potential instances of this malware both on the endpoint and through captured or monitored network traffic. Snort Detection can be applied to outbound network traffic and detects instances of PowerDrop malware data exfiltration. In contrast, SIGMA detection identifies PowerShell executions via the PowerShell script block for unencoded and required components of the PowerDrop malware.
Commenting on the PowerDrop malware, Tom Kellermann, senior vice president of cyber strategy at Contrast Security, wrote in an emailed statement that, “Powerdrop has China written all over it. They have a long history of exploiting PowerShell for lateral movement and employing ML for counter-incident response.”
Kellermann added that given “that tensions with China are reaching a tipping point, it would be natural for them to target our aerospace industry. What’s more concerning is that they could be using a defense contractor as an island hop to leapfrog into the US Airforce.”
“This is a great example of why even modern EDR platforms are unable to detect sophisticated encrypted obfuscated attacks,” Dror Liwer, co-founder of cybersecurity company Coro, wrote in an emailed statement. “Deciphering intent is key to understanding whether there is a threat present. Utilizing AI or machine learning is the only way to be able to do that.”
In conclusion, Adlumin advises that those in the aerospace defense industry remain vigilant against this new malware that’s making the rounds. The company recommends running vulnerability scanning at the core of Windows systems and being on the lookout for unusual pinging activity from their networks to the outside.
Last month, the U.S. Department of State released a framework to promote and explain the nation’s policy on cybersecurity and information and communications technologies (ICTS) in space, space-related critical infrastructure security and resilience, and space asset resiliency on the international stage. The document outlines how State Department diplomacy will advance continued U.S. space leadership and expand international cooperation on mutually beneficial space activities.
Related
