PowerDrop Malware Uses PowerShell

A previously unidentified threat actor has been observed directing its focus towards the U.S. aerospace industry, employing a newly developed malware known as PowerDrop, which operates through PowerShell.

According to Adlumin, the cybersecurity firm that made the discovery, PowerDrop utilizes sophisticated methods to avoid detection, including tactics such as deception, encoding, and encryption. This malicious software was discovered in the systems of an undisclosed domestic aerospace defense contractor in May 2023.

PowerDrop Mode of Operation

The name "PowerDrop" is derived from the amalgamation of "Power" from the scripting tool Windows PowerShell and "Drop" from the DROP (DRP) string found in the code to serve as padding.

PowerDrop serves as a tool for post-exploitation, enabling the gathering of information from targeted networks after initially gaining unauthorized access through alternative means.

To establish communication with a command-and-control (C2) server, the malware employs Internet Control Message Protocol (ICMP) echo request messages as beacons. In response, the server sends an encrypted command that is then decoded and executed on the compromised host. Additionally, a similar ICMP ping message is utilized to transmit the results of the instruction back to the attacker.

Furthermore, the execution of the PowerShell command takes place using the Windows Management Instrumentation (WMI) service, indicating the adversary's intention to exploit legitimate system features in order to avoid detection, a strategy commonly referred to as "living-off-the-land" tactics.

How Can Threat Actors Infiltrate Corporate Systems?

Threat actors can employ various tactics to infiltrate corporate systems, some of which include:

Phishing Attacks: This involves sending deceptive emails or messages to employees, often disguised as legitimate entities or individuals, in an attempt to trick them into revealing sensitive information or clicking on malicious links that grant unauthorized access.

Malware: Threat actors can use different types of malware, such as viruses, trojans, or ransomware, to exploit vulnerabilities in systems or deceive users into installing malicious software. This can happen through infected attachments, compromised websites, or malicious downloads.

Social Engineering: This technique relies on manipulating individuals through psychological tactics to obtain unauthorized access. It can involve impersonating trusted personnel, exploiting personal relationships, or leveraging publicly available information to gain the target's trust and extract sensitive information.

Insider Threats: Sometimes, individuals within an organization intentionally or inadvertently pose a security risk. Disgruntled employees, those motivated by financial gain, or individuals with compromised credentials can abuse their access privileges to infiltrate systems or leak sensitive information.

Exploiting Weak or Misconfigured Systems: Threat actors actively scan networks for vulnerabilities, such as unpatched software, misconfigured servers, or weak passwords. By identifying and exploiting these weaknesses, they can gain unauthorized access to corporate systems.

To defend against these infiltration methods, organizations should implement a comprehensive cybersecurity strategy that includes employee training, regular software updates and patches, strong access controls, network monitoring, encryption, and incident response plans.