An unknown attacker has been observed targeting the US aerospace industry with a new PowerShell-based malware called . power drop.
According to Adlumin, who found the malware embedded in an anonymous domestic aerospace defense contractor in May 2023, “PowerDrop uses advanced techniques to avoid detection such as deception, encoding, and encryption. are using.”
“The name comes from the tool Windows PowerShell used to script and the DROP (DRP) string ‘Drop’ used in code for padding.”
PowerDrop is also a post-exploit tool, designed to gather information from a victim’s network after initial access has been obtained through other means.
The malware uses Internet Control Message Protocol (ICMP) echo request messages as beacons to initiate communication with command and control (C2) servers.
The server side responds with encrypted commands that are decoded and executed on the compromised host. A similar her ICMP ping message is used to extract the results of the command.
Additionally, the PowerShell commands are being run by the Windows Management Instrumentation (WMI) service, indicating that the attackers are attempting to utilize persistence tactics to evade detection.
“While the core DNA of this threat isn’t particularly sophisticated, its ability to obfuscate suspicious activity and evade detection by endpoint defenses is a huge advantage,” said Mark Sangster, vice president of strategy at Adlumin. It smells of a more sophisticated threat actor.”
