Adlumin has recently uncovered a new PowerShell malware script known as ‘PowerDrop,’ which is specifically designed to launch attacks against the U.S. aerospace defense industry. The script was discovered within the network of a defense contractor and utilizes PowerShell and Windows Management Instrumentation (WMI) to establish a persistent remote access trojan (RAT) on compromised networks.
The malware’s operation tactics indicate a blend of off-the-shelf malware and advanced APT techniques, with the timing and targeted victims suggesting a likely state-sponsored attacker.
Adlumin detected PowerDrop through machine learning detection that scrutinizes the content of PowerShell script execution, although the exact infection chain or initial compromise remains unknown.
It is presumed that the attackers may have deployed the script through various methods, including exploiting vulnerabilities, phishing emails, or spoofed software download sites. PowerDrop functions as a PowerShell script executed by the WMI service, encoded using Base64 to operate as a backdoor or RAT.
PowerDrop takes advantage of WMI event filters and consumers, specifically creating a consumer named ‘SystemPowerManager’ upon compromising the system using the ‘wmic.exe’ command-line tool.
By leveraging WMI event filters triggered by updates to a performance-monitoring class, the malicious script is executed discreetly. Communication with the command-and-control (C2) server occurs through ICMP echoes, employing encrypted payloads containing commands for execution, allowing for evasive operations.
Due to its utilization of PowerShell and WMI, coupled with the absence of a separate script file on the disk, PowerDrop maintains a high level of stealthiness. Its communications are encrypted with AES, and the use of the ICMP protocol for beacon signaling aligns with typical network communications, reducing the chances of detection.
Organizations, particularly those in the aerospace defense industry, should exercise heightened vigilance, closely monitoring PowerShell execution and being alert to any unusual WMI activity to mitigate the threat posed by PowerDrop.
