A new PowerShell malware script, named “PowerDrop”, has been discovered to be used in attacks targeting the US aerospace defense industry.
Researchers have determined that the malware consists of a novel combination of PowerShell and Windows Management Instrumentation (WMI) as a RAT with persistence. The malware operates by sending Internet Control Message Protocol (ICMP) echo request messages, serving as a trigger for its C2 functionality.
PowerDrop is a PowerShell script run by the Windows Management Instrumentation (WMI) service and encoded using Base64 to act as a backdoor or RAT.
Examining the system logs, the researchers discovered that the malicious script had been executed using registered Windows Management Instrumentation (WMI) event filters and consumers named “SystemPowerManager”, which were created by the malware when it compromised the system with using the command line tool “wmic.exe”.
PowerDrop is particularly stealthy, due to it using PowerShell and WMI, while all communication is AES encrypted. In addition, the new malware doesn`t touch the disk as a „.ps1” script file so it is unlikely to be detected.
Although the fundamental structure of the threat itself is not exceptionally advanced, its capability to camouflage suspicious actions and circumvent endpoint defenses suggests the involvement of more proficient threat actors.
In conclusion, Adlumin advises that those in the aerospace defense industry remain vigilant against this new malware that’s making the rounds.
The company recommends running vulnerability scanning at the core of Windows systems and being on the lookout for unusual pinging activity from their networks to the outside.