A new PowerShell malware script named “PowerDrop” has been found used in attacks targeting the US aerospace and defense industry.
The malware was discovered by security researchers at Adlumin, who discovered malware samples on the defense contractor’s network last month.
On Tuesday, the Adlumin team issued an advisory on PowerDrop, stating that the malware “straddles the line between ‘basic off-the-shelf threats’ and tactics used by the Advanced Persistent Threat Group (APT).” rice field.
PowerDrop uses advanced techniques such as deception, encoding, and encryption to avoid detection.
“PowerDrop’s code appears to be custom, designed to be stealthy and evasive to detection, runs via WMI, does not reside on disk, and employs uncommon methods of communication and data exfiltration. We use it and it is not available as an off-the-shelf product,” explains James Lively, Endpoint Security Research Specialist at Tanium.
“[However]Based on PowerDrop’s capabilities, how it is implemented, and how PowerDrop is used by attackers in the aerospace industry, this indicates Advanced Persistent Threat (APT) activity. ”
Coalfire vice president Andrew Barratt said that because of PowerShell’s breadth of capabilities and ability to leverage existing infrastructure in commonly used computing environments to evade detection, criminals typically use PowerShell. and added.
“These are convenient because they can be easily dropped into your work environment by email or USB and you don’t have to write sophisticated zero-days as part of your attack,” added Barratt.
“Manufacturers of major weapons systems in the United States and allies should be vigilant against this activity and closely monitor their supply chains in case it becomes a source of attack.”
PowerShell Malware Details: Microsoft Blames Clop Affiliates in PaperCut Attack
Adlumin said in his recommendation that the culprit behind PowerDrop has not been specifically identified, but that he suspects state-state hackers may be involved.
Craig Jones, Vice President of Security Operations at Ontinue, said, “The lack of clear attribution to a specific actor adds to the mystery surrounding PowerDrop.”
“Currently, the community refrains from accusations. The ongoing conflict in Ukraine and its growing focus on aerospace and missile programs has turned suspicion on state adversaries.”
Regardless of the source, Admin warned aerospace and defense industry players to remain vigilant regarding recent malware.
In particular, the company suggests conducting vulnerability scans on Windows systems as a mandatory precaution and keeping an eye out for unusual ping activity from your network to external sources.
Editorial image credit: VanderWolf Images / Shutterstock.com
