Cybersecurity researchers have discovered an unknown threat actor targeting US Aerospace companies with a new form of highly advanced cybersecurity threat – a PowerShell-based malware called PowerDrop. The actor behind this malware has been using advanced techniques such as deception, encoding, and encryption to evade initial detection and access victim networks.
Experts have analyzed the code and found that the name “PowerDrop” comes from the tool used to create the script – Windows PowerShell, and the code for padding – “Drop” (DRP). This indicates that the attackers are likely advanced and have significant knowledge of scripting and coding.
Attackers are using this malware as a post-exploitation tool to gather information from victim networks after obtaining initial access through other means. They use the network’s own defenses, such as existing access privileges, to act as a cover for their offensive actions and further improve their ability to infiltrate and compromise the target system.
To hide their activity and evade detection, PowerDrop uses advanced techniques such as employing ICMP echo request messages as beacons to initiate communication with the command-and-control (C2) server. This message is then responded to by the server with an encrypted command that is decoded and run on the compromised host. A similar ICMP ping message is used for exfiltrating the results of the instruction.
The malware also executes the PowerShell command by means of the Windows Management Instrumentation (WMI) service, indicating the adversary’s attempts to leverage living-off-the-land tactics to sidestep detection. Through this method, the attackers can execute commands with lower friction. However, it may also provide clues that enable security researchers to identify and track them.
While the core DNA of the threat is not particularly sophisticated, its ability to obfuscate suspicious activity and evade detection by endpoint defenses indicates the involvement of more sophisticated threat actors. Security experts believe that the actor behind PowerDrop may have significant resources, knowledge, and access, suggesting links to an organized cybercriminal group or even a nation-state.
The attack on the US aerospace industry comes amid increasing concerns about the vulnerability of critical infrastructure to cyberattacks. Cybercriminals and nation-states are increasing their offensive cybersecurity activities, targeting strategic industries like energy, manufacturing, healthcare, and defense. They are using advanced techniques and tactics like this latest PowerDrop malware to bypass sophisticated cyber defenses and infiltrate even the most secure systems.
Mark Sangster, Vice President of Strategy at Adlumin, commented, “The use of living-off-the-land tactics is a common approach taken by cybercriminals to fly under the radar of existing endpoint defenses. While not a sophisticated form of malware, it is still capable of executing multiple commands on a single host and compromising a network. Unfortunately, once intruders have gained access to a network, it is difficult to detect what happens next.”
The cybersecurity community continues to call for organizations to strengthen their cybersecurity posture and take proactive steps to secure their networks against increasingly advanced threats. This includes implementing multi-layered security measures and actively monitoring and testing existing defenses to identify and address vulnerabilities before they can be exploited. It is only by remaining vigilant and taking a comprehensive approach to cybersecurity that organizations can hope to keep pace with the rapidly evolving threat landscape and ensure the safety and security of their data, networks, and customers.