Suspected Nation-State Actors Target US Aerospace IndustryPowerDrop Malware Is Simple But Sophisticated
Suspected nation-state hackers are using malware that researchers say straddles the line between off-the-shelf and advanced tactics in order to target the U.S. aerospace industry.
The malware is a PowerShell and Windows Management Instrumentation remote access tool that uses a network-level internet protocol typically used for error reporting as a trigger for the command-and-control server, said researchers from Adlumin.
Adlumin dubs the malware PowerDrop. It's hardly the first malware to use PowerShell or WMI to establish persistence, company researchers said in Tuesday blog post.
"While the core DNA of the threat is not particularly sophisticated, its ability to obfuscate suspicious activity and evade detection by endpoint defenses smacks of more sophisticated threat actors. The fact it targeted an aerospace contractor only confirms the likelihood of nation-state aggressors," said Adlumin executive Mark Sangster.
The company said it found the malware on the network of a U.S. aerospace defense contractor in May. Adlumin researchers did not identify the threat actor but suspect nation-state aggressors.
The malware can identify valuable information on the victim's system and, if needed, perform additional operations such as sending screen captures and system information to the hackers' command-and-control server.
The malware likely uses a previously known exploit - such as a phishing email or drive-by download - to gain initial access to the victim's computer. The PowerShell script is then executed by WIM.
The malware uses Internet Control Message Protocol echo request messages to trigger the command-and-control server as well as to exfiltrate data.