Researchers Discover New PowerShell Malware Targeting Aerospace Sector

Overview

A new malware strain was discovered by the threat research firm Adlumin with supposed implications for the U.S. aerospace sector. The malicious script, dubbed PowerDrop, was “implanted in the network” of an unnamed U.S. aerospace defense contractor.

While there is little known of the scope and extent of PowerDrop’s usage, aerospace organizations should be aware of the potential attack vector for malicious threat actors. Analysts note that there have been no instances of active exploitation in the wild since May 2023. The Adlumin Threat Research Team provided detection tools to assist analysts in detecting instances of PowerDrop in both endpoints and network traffic.

This incident comes at a time when “living off the land techniques” have become more popular among threat actors and suggests a sophisticated entity is behind its use. “Living off the Land” is a novel tactic that leverages native tools such as PowerShell and Windows Management Instrumentation (WMI) to carry out attacks, eliminating the need for attackers to install malicious code/scripts.

Attack Pattern

Researchers at Adlumin provided detailed malware analysis, which suggests that the PowerDrop’s severity is between that of a novice and a nation state threat actor. While the malware strain is new, the tactics, techniques and procedures indicate that a sophisticated threat may be behind its development and execution.

PowerDrop has been able to avoid traditional endpoint detection and response (EDR) tools, in part due to its use of PowerShell commands and Windows Management Instrumentation (WMI) to establish backdoor connections and remain undetected in network environments. Research suggests that the initial access is granted by exploitation of known exposed vulnerabilities, spear-phishing campaigns, or drive-by compromise via web browser targeting. Once delivered, the malicious payload contains a remote access trojan (RAT) capable of remote code execution (RCE) and exfiltration of queried data.

Significance

As space development continues and the world of aerospace contracting becomes more robust, threat actors may demonstrate a desire to go after proprietary information associated with aerospace contracts and use proprietary data related to defense contracts as an attractive extortion target. The high confidentiality and implications on national defense could be a potential motivating factor for threat actors looking to make a large ransom demand.

Recent data suggest that ransomware gangs are prioritizing exfiltration over encryption of sensitive data, and are switching to extortion-focused tactics when carrying out campaigns. Space ISAC assesses PowerDrop as a significant threat due to the sophistication of design, advanced persistence and detection avoidance, and the reported targeting of an aerospace defense contractor.

Read more from Space ISAC.