New ‘PowerDrop’ malware targeting US aerospace industry
A new malicious PowerShell script is targeting the United States aerospace industry, researchers have found.
The malware, dubbed PowerDrop, was found implanted on the network of an unnamed defense contractor in May by Adlumin Threat Research.
The malware is used as a remote access trojan to run commands on victim networks after getting access to servers.
Researchers noted the malware’s unique evasion tactics, allowing threat actors to “live off the land,” gaining long-term access to a server without triggering detection.
Nation-state actors are suspected, researchers wrote, but have not been identified, and it is unclear how the hackers try to gain initial access.
“While the core DNA of the threat is not particularly sophisticated, its ability to obfuscate suspicious activity and evade detection by endpoint defenses smacks of more sophisticated threat actors,” said Adlumin Vice President of Strategy Mark Sangster.
Craig Jones, vice president of security operations at security firm Ontinue, agreed that all signs pointed to a nation-state actor being behind the malware.
“The absence of a clear attribution to a specific threat actor further deepens the mystery surrounding PowerDrop. Currently the community have refrained from pointing fingers, suspicions point towards nation-state adversaries due to the ongoing conflict in Ukraine and their intensified focus on aerospace and missile programs,” he said.
Adlumin recommends that companies and organizations in the aerospace defense industry stay on guard and conduct vulnerability scans on their networks.
The military and defense industry has been on high alert since it was revealed that Chinese hackers accessed critical infrastructure on Guam, where the U.S. has a large military presence.
Tom Kellermann, senior vice president of cyber strategy at Contrast Security, told The Record “Powerdrop has China written all over it.”
“They have a long history of exploiting PowerShell for lateral movement and employing ML [machine learning] for counter incident response,” he said. “Given that tensions with China are reaching a tipping point, it would be natural for them to target our aerospace industry.”
Jonathan Greig contributed reporting.
James Reddick has worked as a journalist around the world, including in Lebanon and in Cambodia, where he was Deputy Managing Editor of The Phnom Penh Post. He is also a radio and podcast producer for outlets like Snap Judgment.