View Full Threat Report
New ‘Powerdrop’ Powershell Malware Targets U.S. Aerospace Industry
[ Posted: 2023-06-06 ]
Cyber Security Threat Summary:
A new PowerShell malware called "PowerDrop" specifically targets the U.S. aerospace defense industry. The cybersecurity firm Adlumin, found a sample of this malware in the network of a defense contractor in the U.S. PowerDrop utilizes PowerShell and Windows Management Instrumentation (WMI) to establish a persistent remote access trojan (RAT) within the compromised networks. The tactics employed by the malware fall somewhere between "off-the-shelf" malware and sophisticated advanced persistent threat (APT) techniques. Based on the timing and targets of the attacks, it is highly probable that the perpetrator behind the malware is a state-sponsored entity. PowerDrop is a PowerShell script that operates as a backdoor or remote access trojan (RAT) by leveraging the Windows Management Instrumentation (WMI) service. To conceal its malicious nature, the script is encoded using Base64. Through analysis of system logs, researchers determined that the malicious script was executed by utilizing pre-existing WMI event filters and consumers named 'SystemPowerManager.' These components were created by the malware itself after compromising the system, employing the 'wmic[.]exe' command-line tool.
“WMI is a built-in Windows feature that allows users to query local or remote computers for various information. In this case, it is being abused to trigger PowerShell command queries for updates to a performance-monitoring class. The particular class is frequently updated with performance-related information such as processes, threads, system calls/sec, and queue length, so planting a malicious event trigger every two minutes is unlikely to raise suspicions. "The WMI event filter is triggered when the WMI class is updated, which then triggers the execution of the PowerShell script," explains Adlumin in the report. "Triggering by the filter is throttled to once every 120 seconds so long as the WMI class has been updated." Once the PowerDrop script is active, it sends a hardcoded ICMP echo to its C2 server address, beaconing that a new infection is active” (Bleeping Computer. 2023).
The ICMP trigger payload consists of a UTF16-LE encoded string that is not obfuscated. This encoding aids the command-and-control (C2) infrastructure in differentiating it from random probes. After transmitting the beacon to the C2 server, the malware enters a 60-second waiting period, anticipating a response from the C2. This response arrives as an encrypted and padded payload, which contains a command to be executed. To decrypt the received payload, the malware employs a predefined 128-bit AES key and a 128-bit initialization vector. Once decrypted, the malware proceeds to execute the command contained within the payload on the infected host. In cases where the results are too large, the malware employs strategy of diving them into smaller 128-byte chunks. These smaller chunks are then sent as a series of multiple messages.
Security Officer Comments:
According to Adlumin's findings, the combination of PowerShell and WMI, along with the absence of a ".ps1" script file that would leave traces on the disk, enhances PowerDrop's stealthiness. The malware ensures secure communications through AES encryption. Additionally, the use of the ICMP protocol for beacon signaling is a common network communication method, reducing the chances of detection. Moreover, the malware employs a 120-second interval between malicious network traffic, further lowering the risk of being discovered.
Suggested Correction(s):
To effectively combat this threat, organizations, particularly those in the aerospace defense industry, should maintain a high level of vigilance. This includes monitoring PowerShell execution and being attentive to any unusual WMI activity that may indicate the presence of PowerDrop. Adlumin recommends running vulnerability scanning at the core of Windows systems and being on the lookout for unusual pinging activity from their networks to the outside.
Adlumin has produced the following detections to help identify potential instances of this malware both on the endpoint and through captured or monitored network traffic:
Link(s):
https://adlumin.com/post/
https://www.bleepingcomputer.com/
A new PowerShell malware called "PowerDrop" specifically targets the U.S. aerospace defense industry. The cybersecurity firm Adlumin, found a sample of this malware in the network of a defense contractor in the U.S. PowerDrop utilizes PowerShell and Windows Management Instrumentation (WMI) to establish a persistent remote access trojan (RAT) within the compromised networks. The tactics employed by the malware fall somewhere between "off-the-shelf" malware and sophisticated advanced persistent threat (APT) techniques. Based on the timing and targets of the attacks, it is highly probable that the perpetrator behind the malware is a state-sponsored entity. PowerDrop is a PowerShell script that operates as a backdoor or remote access trojan (RAT) by leveraging the Windows Management Instrumentation (WMI) service. To conceal its malicious nature, the script is encoded using Base64. Through analysis of system logs, researchers determined that the malicious script was executed by utilizing pre-existing WMI event filters and consumers named 'SystemPowerManager.' These components were created by the malware itself after compromising the system, employing the 'wmic[.]exe' command-line tool.
“WMI is a built-in Windows feature that allows users to query local or remote computers for various information. In this case, it is being abused to trigger PowerShell command queries for updates to a performance-monitoring class. The particular class is frequently updated with performance-related information such as processes, threads, system calls/sec, and queue length, so planting a malicious event trigger every two minutes is unlikely to raise suspicions. "The WMI event filter is triggered when the WMI class is updated, which then triggers the execution of the PowerShell script," explains Adlumin in the report. "Triggering by the filter is throttled to once every 120 seconds so long as the WMI class has been updated." Once the PowerDrop script is active, it sends a hardcoded ICMP echo to its C2 server address, beaconing that a new infection is active” (Bleeping Computer. 2023).
The ICMP trigger payload consists of a UTF16-LE encoded string that is not obfuscated. This encoding aids the command-and-control (C2) infrastructure in differentiating it from random probes. After transmitting the beacon to the C2 server, the malware enters a 60-second waiting period, anticipating a response from the C2. This response arrives as an encrypted and padded payload, which contains a command to be executed. To decrypt the received payload, the malware employs a predefined 128-bit AES key and a 128-bit initialization vector. Once decrypted, the malware proceeds to execute the command contained within the payload on the infected host. In cases where the results are too large, the malware employs strategy of diving them into smaller 128-byte chunks. These smaller chunks are then sent as a series of multiple messages.
Security Officer Comments:
According to Adlumin's findings, the combination of PowerShell and WMI, along with the absence of a ".ps1" script file that would leave traces on the disk, enhances PowerDrop's stealthiness. The malware ensures secure communications through AES encryption. Additionally, the use of the ICMP protocol for beacon signaling is a common network communication method, reducing the chances of detection. Moreover, the malware employs a 120-second interval between malicious network traffic, further lowering the risk of being discovered.
Suggested Correction(s):
To effectively combat this threat, organizations, particularly those in the aerospace defense industry, should maintain a high level of vigilance. This includes monitoring PowerShell execution and being attentive to any unusual WMI activity that may indicate the presence of PowerDrop. Adlumin recommends running vulnerability scanning at the core of Windows systems and being on the lookout for unusual pinging activity from their networks to the outside.
Adlumin has produced the following detections to help identify potential instances of this malware both on the endpoint and through captured or monitored network traffic:
Link(s):
https://adlumin.com/post/
https://www.bleepingcomputer.com/
Cyber Security Cafe
Cyber Security Cafe is a private public service and offers no goods or services other than posting the current cyber threats we are facing and what we can do to prevent us from being affected and if we are, what we can do to correct the problems and to avoid intrusions in the future.
- Prevention often means not accepting the 'easy' ways.
- Most of Modern Technology exists in order to obtain your personal data.
Current Threats
Current Treats so you the latest and often most dangerous cyber threats. They indicate where they orininated from, and what areas they are targeting. By knowing in advance you can take precautionary actions now, before it's too late.
Cyber Solutions
Are a group of tools and information that is designed to keep you up to date and to give you the tools to protect both your network and equipment. Most of the tools are available 'free of charge' too and are provided by safe governmental agencies.