"PowerDrop" PowerShell Malware Targets US Aerospace Industry

Written by

A new PowerShell malware script named “PowerDrop” has been discovered to be used in attacks targeting the aerospace defense industry in the US.

The malware was discovered by security researchers at Adlumin, who last month found a sample of the malware in a defense contractor’s network.

On Tuesday, the Adlumin team published an advisory about PowerDrop, saying the malware “straddles the line between a ‘basic off-the-shelf threat’ and tactics used by Advanced Persistent Threat Groups (APTs).”

PowerDrop relies on advanced techniques to evade detection, including deception, encoding and encryption.

“The code for PowerDrop appears to be custom, designed to be stealthy and evade detection, executed via WMI, does not reside on disk, uses uncommon methods for communication and exfiltration of data and is not available as an off-the-shelf product,” explained James Lively, endpoint security research specialist at Tanium.

“[However], based on the capabilities of PowerDrop, how they are implemented, and how the threat actor is using PowerDrop in the aerospace industry, it is indicative of Advanced Persistent Threat (APT) activity.”

Andrew Barratt, vice president at Coalfire, added that criminal actors typically utilize PowerShell because of its extensive range of features and its capability to avoid detection by leveraging existing infrastructure in commonly used computing environments.

“These are useful because they can be easily dropped into a working environment by email or USB and don’t require a sophisticated zero-day to be burned as part of the attack,” Barratt added.

“The US and allies’ primary weapons system’s manufacturers should be on high alert for this activity and be critically monitoring their supply chains in case they become a source of attack.”

Read more on PowerShell malware: Microsoft Blames Clop Affiliate for PaperCut Attacks

Adlumin stated in their advisory that the perpetrator behind PowerDrop had not been specifically identified, but they suspect that nation-state hackers may be involved. 

“The absence of a clear attribution to a specific threat actor further deepens the mystery surrounding PowerDrop,” said Craig Jones, vice president of security operations at Ontinue.

“Currently, the community has refrained from pointing fingers; suspicions point towards nation-state adversaries due to the ongoing conflict in Ukraine and their intensified focus on aerospace and missile programs.”

Regardless of attribution, Adlumin cautioned individuals in the aerospace defense industry to maintain a state of alertness regarding the recent malware. 

In particular, the company suggests conducting vulnerability scans on Windows systems as an essential precaution and staying attentive to any abnormal pinging activity originating from their networks to external sources.

Editorial image credit: VanderWolf Images / Shutterstock.com

What’s hot on Infosecurity Magazine?