PowerDrop Malware Simple But Sophisticated
Suspected nation-state hackers are using malware that researchers say straddles between the line between off-the-shelf and advanced tactics in order to target the U.S. aerospace industry.
The malware is a PowerShell and Windows Management Instrumentation remote access tool that uses a network-level internet protocol typically used for error reporting as a trigger for the command and control server, say researchers from Adlumin.
Adlumin dubs PowerDrop. It’s hardly the first malware to use PowerShell or WMI to establish persistence, company researchers noted in Tuesday blog post.
“While the core DNA of the threat is not particularly sophisticated, its ability to obfuscate suspicious activity and evade detection by endpoint defenses smacks of more sophisticated threat actors. The fact it targeted an aerospace contractor only confirms the likelihood of nation-state aggressors,” said Adlumin executive Mark Sangster.
The company says it found the malware present on the network of a U.S. aerospace defense contractor in May. Adlumin researchers did not identify the threat actor but suspect nation-state aggressors.
The malware can identify valuable information on the victim’s system and, if needed, perform additional operations such as sending screen captures and system information to the hackers’ command-and-control server.
The malware likely uses a previously known exploit to gain initial access to the victim’s computer such as a phishing email or drive-by download. The PowerShell script is then executed by WIM.
The malware uses Internet Control Message Protocol echo request messages to trigger the command and control server as well as to exfiltrate data.