An unknown threat actor has been observed targeting the US aerospace industry with a new malware based on PowerShell called PowerDrop.
“PowerDrop uses advanced techniques to evade detection such as fraud, encryption, and encryption,” according to Adlumin, who find malware invested in an unnamed domestic aerospace defense contractor in May 2023.
“The name comes from the tool, Windows PowerShell, which is used to generate scripts, and the ‘Drop’ of the string DROP (DRP) which is used in the code for padding.”
PowerDrop is also a post-exploit tool, meaning that it is designed to gather information from the victim’s network after gaining initial access through other means.
The malware uses Internet Control Message Protocol (ICMP) echo request messages as beacons to initiate communication with command-and-control (C2) servers.
The server, for its part, responds back with encrypted commands which are decoded and executed on the compromised host. Similar ICMP ping messages are used to extract instruction results.
What’s more, PowerShell commands are executed via Windows Management Instrumentation (WMI) service, indicating enemy attempts to utilize live-from-ground tactics to evade detection.
“While the core DNA of the threat is not particularly sophisticated, its ability to disguise suspicious activity and evade detection by endpoint defenses suggests a more sophisticated threat actor,” said Mark Sangster, vice president of strategy at Adlumin.