The Adlumin Threat Research Team has made a significant discovery, uncovering a new type of malware that specifically targets the U.S. aerospace defense industry. The timing of this discovery is noteworthy, as the ongoing conflict in Ukraine has led to increased research and investment in missile programs, putting defense organizations on high alert.
Named "PowerDrop" by Adlumin researchers, the malware was found implanted in the network of a domestic aerospace defense contractor in May 2023. PowerDrop is a PowerShell-based and Windows Management Instrumentation (WMI) persisted Remote Access Tool (RAT). It utilizes advanced evasion techniques, such as deception, encoding, and encryption, making it a unique blend of a basic off-the-shelf threat and the tactics employed by Advanced Persistent Threat (APTs) groups.
While the specific threat actor behind PowerDrop has not yet been identified, Adlumin suspects the involvement of nation-state aggressors due to the malware's targeting of an aerospace contractor. Mark Sangster, Vice President of Strategy at Adlumin, noted that this attack showcases the evolution of "living off the land" tactics employed by threat actors.
The malware uses triggers and exfiltration patterns that can be detected by intrusion detection systems, but it also incorporates custom development techniques to evade common endpoint defenses. The PowerShell command line arguments are encoded, and WMI is used for persistence, adding an extra layer of sophistication to the malware.
Adlumin's machine learning-based algorithms played a crucial role in detecting PowerDrop. By analyzing the content of executed PowerShell scripts, rather than just the command line arguments, the algorithms were able to identify the malware's presence. The PowerShell script acts as a backdoor or RAT, enabling remote command execution and exfiltration of the results.
Upon initial execution, PowerDrop sends an ICMP Echo Request message to a hardcoded IP address as a beacon. The malware then waits for a response, and upon receiving an encrypted payload from the command-and-control server, decrypts and executes the command using the Invoke-Expression cmdlet in PowerShell. The results of the command are encrypted and sent back to the C2 server.
Adlumin advises organizations in the aerospace defense industry to remain vigilant against this new threat. Implementing vulnerability scanning on Windows systems and monitoring network activity for unusual pinging behavior are recommended measures to detect and prevent PowerDrop infections.
Will Ledesma, Director of Adlumin's Cyber Security Operation Center, emphasizes the importance of having dedicated 24/7 cybersecurity teams in today's landscape, as PowerDrop demonstrates the potency of combining old tactics with new techniques.
As the cybersecurity landscape continues to evolve, organizations must stay proactive and resilient against emerging threats like PowerDrop. The discovery of this malware serves as a reminder of the ongoing need for robust cybersecurity measures to safeguard critical industries.