A US defense contractor has been infected with a new backdoor malware called “PowerDrop” which presented a gateway for further infections or worse. Adlumin, a cybersecurity firm, reported the threat, which is a PowerShell-based malware that allows attackers full access to vulnerable computers. Kevin O’Connor, the Director of Threat Research at Adlumin commented that “PowerDrop essentially has full access to the computer”, warning that the attacker can “issue any remote command they want”. To operate in stealth mode, PowerDrop fragments large messages to and from the target machine into smaller ones and encrypts its payloads using a static key that doesn’t change. Hackers controlling the backdoor took advantage of native Windows programs through a “living-off-the-land” (LotL) strategy. The malware employs Windows Management Instrumentation (WMI) to establish itself as a legitimate service, making it harder to detect and posing as an “invisible” threat.
As PowerShell is commonly used by IT managers for legitimate IT tasks, it allows malicious behavior to more easily slip past defense measures. PowerShell also grants significant powers over a Windows computer, enabling the malware owner to operate at the admin level in a victim organisation, potentially stealing data, and executing commands almost without restraint.
Though it is confirmed that only one domestic aerospace company has fallen victim to the cyberattack, there might be more targets that have remained undiscovered. Researchers hinted at a common piece of associated software, but they cannot exactly pinpoint its source. Though it is uncertain thus far, the researchers suspect that a nation-state actor is behind PowerDrop. The gravity of the threat cannot be ignored given the ongoing war in Ukraine and political tensions in Taiwan.
To prevent malicious attacks like PowerDrop and LotL malware, cybersecurity experts suggest using approaches such as red team exercises, AI-driven behavioral analysis, and whitelisting. Aerospace companies and other high-value targets could opt for these tactics. Moreover, organisations should enable script block logging, which reveals decoded PowerShell commands that are running. Admins could also consider auditing WMI events as WMI is quite commonly used by malware as a way to persist. By reviewing these alerts, admins can see how malware registers itself as legitimate services and prevent or evade the cyberattack.
Amidst the PowerDrop malware attack discovery, many have referred to the malware as “cool stuff.” However, the probability of development and replication of similar smart malware pose a massive cybersecurity risk, proving that the spread of these cyber-attacks is far from stopping.