US Aerospace Contractor Hacked With PowerDrop Backdoor

  /     /     /  
Publicated : 23/11/2024   Category : security


US Aerospace Contractor Hacked With PowerDrop Backdoor


Hackers used a little to do a lot, cracking a high-value target with hardly more than the living-off-the-land tools (PowerShell especially) found on any standard Windows computer.



Hackers utilizing native Windows tools have managed to infect at least one US defense contractor with a novel backdoor, which could have paved the way for additional malware implantation or worse.
In a report published June 6, researchers from Adlumin
nicknamed the backdoor PowerDrop,
after a DRP string used in the code, and because its based in Powershell — the dual command shell-plus-scripting language.
Because its through Windows PowerShell, PowerDrop essentially has full access to the computer, explains Kevin OConnor, director of threat research at Adlumin. It runs with administrative privileges, and the attackers can issue any remote command they want.
Overall, PowerDrop straddles the line between what you see from advanced persistent threats (APTs), and the more basic script kiddie stuff, OConnor assesses. It has some unique security precautions to protect itself but it also in some ways messes those up.
For example, to avoid making too much noise, PowerDrop splits any large messages sent to and from the target machine into multiple, smaller messages. It also encrypts its payloads. To do so, however, it uses a static key that doesnt ever change, to encrypt everything. And so its really detectable, OConnor says.
Any shortcomings are made up for, however, by the hackers shrewd use of standard-fare Windows programs in a
living-off-the-land (LotL)
strategy.
To establish persistence, the attack employs
Windows Management Instrumentation (WMI)
— an interface designed to help system administrators manage various aspects of their operational environments — to register itself as a legitimate service.
As a result, OConnor says, it looks like anything else that would be registered on the system, and it doesnt leave malicious files on the disk.
Most importantly, PowerDrop isnt anything more than a PowerShell script.
PowerShell is popular among hackers
for two primary reasons. First, because its so ubiquitously used for perfectly legitimate IT tasks, it allows malicious behavior to more easily sneak past prying eyes.
Beyond that, PowerShell affords significant powers over a Windows computer, whether the user wielding it is an IT manager or hacker. PowerDrop could have enabled its proprietors to operate at the admin level in the defense contractors network, stealing data or executing commands almost without restraint.
Thus far, PowerDrop has been confirmed only to have compromised one domestic aerospace company, and scant details are available on the actual attack.
But, OConnor qualifies, weve actually had reports of other users having found this — it looks like there may be a common piece of software that this is associated with — we just havent been able to tie it down yet.
Considering the nature of the victim and the malware, the researchers suspect the perpetrators of PowerDrop may be associated with a nation-state. The gravity of that is only compounded by the backdrop of
war in Ukraine
, and
political tensions in Taiwan
.
To protect against PowerDrop and similar LotL malware, analysts can try approaches like
red team exercises
, or AI-driven behavioral analysis that prioritizes the nature of a programs actions rather than simply what its made of.
For his part, OConnor suggests a few more straightforward steps that aerospace organizations and similar high-value targets can take, such as whitelisting: only allowing trusted applications and processes to run on a system.
Additionally, he says, organizations can make sure that they have script block logging enabled, which actually shows you the decoded PowerShell commands that are running, beyond just the command line arguments that encase them.
Admins might also consider auditing WMI events. WMI, OConnor points out, is really commonly used by malware as a way to persist these days. A lot of people arent looking at those jobs. But if you go in, you can see how this malware registers itself as SYSTEMPOWERMANAGER, and … its not system power managing. This and other precautions, together, might be enough to fend off a backdoor as clever but imperfect as PowerDrop.
Its really cool stuff, OConnor says, reflecting on his discovery. Ive worked at the NSA for years, and I just love this kind of stuff.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
US Aerospace Contractor Hacked With PowerDrop Backdoor