CTI Notification: PowerDrop Malware — US Aerospace Industry needs to be on High Alert
Novel Malware written in PowerShell uses advanced techniques to avoid detection
Breakdown
Adlumin Threat Research released the initial details of a new discovery they made targeting the U.S. aerospace defense industry vertical. They have not been able to provide direct attribution to a specific threat actor group, but believe it is at the nation-state/APT level threat due to the on-going Russia/Ukraine conflict and research into missile systems.
Overview
Adlumin Threat Research discovered the new threat, from an unnamed U.S. aerospace defense contractor, with their machine learning-based algorithms which monitor run-time system activity. They took the sample and reverse engineered the code:
The name is derived from the tool, Windows PowerShell, used to concoct the script, and “Drop” from the DROP (DRP) string used in the code for padding.
Upon reverse engineering, Adlumin’s team found that the malware was made up of a new PowerShell and Windows Management Instrumentation (WMI) persisted Remote Access Tool (RAT). The code sends Internet Control Message Protocol (ICMP) echo request messages as a trigger for the malware’s command-and-control (C2), along with similar ICMP ping usage for data exfiltration.
In essence, researchers concluded that the malware is being used to run remote commands against victim networks after gaining initial access, execution, and persistence into servers.
The usage of PowerShell for remote access is not new, nor is WMI-based persistence of PowerShell scripts or ICMP triggering and tunneling, but what is novel about this malware is that another code like it hasn’t surfaced before, and it straddles the line between a basic “off-the-shelf-threat” and the advanced tactics used by Advanced Persistent Threat (APTs) Groups.
They also note this activity takes advantage of what is called Living off the Land techniques, which have become very popular for all levels of threat actor groups. They take advantage of already installed general use software that, in most cases, is already installed on many corporate systems, exactly like PowerShell. If an organization uses PowerShell internally for automated scripting or system administrators have it configured for escalated access, a threat group using a malicious version like this new tool PowerDrop, can avoid detections in general. This malware specifically also uses more advanced detection evasion techniques for deception, encryption and encoding, which leads the researchers to conclude it is very likely a nation-state level threat group.
Adlumin researchers feel this malware presents a very real high-level threat with those capabilities, as it also was able to evade any detections from common endpoint detection tools because of the encoding for the PowerShell command line arguments as well as taking advantage of another build in Windows tool, Windows Management Instrumentation (WMI), for persistence.
Recommendation
Adlumin, through their research post, has provided a wealth of details on the technical breakdown of the software for all info security defenders looking to learn more or work on threat hunting in their own environments. They have specific sections on a full threat analysis, how the malware handles execution and persistence, a section discussion the contents of the script itself, and most importantly, their suggestions for detections. They have provided a specific Snort detection designed to track outbound network activity and the data exfiltration process and a SIGMA detection that finds PowerShell executions.
Please reference the above linked research blog for the exact technical details to build your own detections and maintain vigilance on alerts from your EDR/EPP tools or anything related to unknown scripts executing in your environment.
Adlumin advises everyone working in the aerospace industry vertical stay up to date and maintain awareness of any anomalous activity on their company systems due to the increased current threat levels. Defense industry organizations continue to be a primary target for their research and processes into new technical and potential weapon-based systems.
We advise all organizations stay active on vulnerability scanning, which should be a basic pillar of all IS programs at any organization exposed to the organizational risk of a security incident.
Conclusion
To our current SOC partnerships, please reach out to our SOC team to learn more about the best steps in researching your exposure to this threat. If you have any questions on this ongoing event or need any level of security assistance, please reach out to Hunter Strategy and we will be happy to discuss next steps in securing your IT systems!
Contact Us
contact@hunterstrategy.net
