Pierluigi Paganini June 07, 2023

A previously unknown threat actor has been observed targeting the U.S. aerospace defense sector with a new PowerShell malware dubbed PowerDrop.

Researchers from the Adlumin Threat Research discovered a new malicious PowerShell script, dubbed PowerDrop, that was employed in attacks aimed at organizations in the U.S. aerospace sector.

The PowerShell-based malware uses advanced techniques to evade detection, including deception, encoding, and encryption.

At this time Adlumin has yet to link the malware to a specific threat actor, but the researchers believe it could be a nation-state actor due to the level of sophistication of the malware and the nature of the targets.

“Adlumin has not yet identified the threat actor behind the malware, but suspects nation-state aggressors as the discovery comes at time of increased R&D into missile programs as the war in Ukraine continues.” reads the analysis published by Adlumin.

The researchers discovered the PowerDrop into in the network of a domestic aerospace defense contractor in May 2023.

The name comes from the Windows PowerShell tool and ‘Drop’ from the DROP (DRP) string used in the code for padding.

The malware is being used to remotely execute commands on the infected systems and gather information from the target network.

The malicious script sends Internet Control Message Protocol (ICMP) echo request messages to the C2, which in turn replies with a similar ICMP ping for data exfiltration.

“The usage of PowerShell for remote access is not new, nor is WMI-based persistence of PowerShell scripts or ICMP triggering and tunneling, but what is novel about this malware is that another code like it hasn’t surfaced before, and it straddles the line between a basic “off-the-shelf-threat” and the advanced tactics used by Advanced Persistent Threat (APTs) Groups.” continues the report.

The malware relies on the WMI-based persistence of PowerShell scripts, the malicious code is being executed by the WMI service using previously registered WMI event filters and consumers.

Adlumin recommends organizations in the aerospace defense industry remain vigilant against PowerDrop. The company urges running vulnerability scanning at the core of Windows systems looking for unusual pinging activity from their networks to the outside.

“PowerDrop clearly shows that mixing old tactics with new techniques proves a powerful combination in today’s age,” said Will Ledesma, Director of Adlumin’s Cyber Security Operation Center.

“It highlights the importance of having dedicated 24/7 cybersecurity teams within any operational landscape,”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PowerDrop)