Windows Malware Targets Defense & Aerospace

A new PowerShell malware script named ‘PowerDrop’ has been discovered being used to attack the U.S. Defense & Aerospace industry. The cyber threat was discovered by security researchers during a routine analysis of a U.S. Defense contractor’s network.

PowerDrop is a stealthy Windows PowerShell script that can drop into networks undetected. It leverages the Windows Management Instrumentation (WMI) service, a legitimate system tool on Windows computers, and encodes itself using Base64. This allows PowerDrop to function as a persistent Remote Access Trojan (RAT) within compromised networks.

The insidious nature of PowerDrop lies in its clever misuse of the WMI system. By pre-registering itself as an ‘event filter and consumer’, it sets up a trigger-action system, where a specific event initiates the execution of its malicious PowerShell script. Like a wolf in sheep’s clothing, this tactic enables PowerDrop to frequently run its script using standard system processes, evading detection. The malware uses AES (Advanced Encryption Standard) encryption for its communications, combined with its strategy of evading detection by not manifesting as a “.ps1” script file on disk, to significantly enhance its stealth capabilities.

Few details are available on the number of PowerDrop infestations, however, there have been reports of widespread instances where this malware has been found. It appears there may be a common piece of software that this is associated with, but further information is required to confirm this.

Its focus on a highly sensitive sector combined with its timing suggests that a state-sponsored actor might be behind these strings of attacks. Given its stealth capabilities and its focus on a highly sensitive sector, PowerDrop can cause significant damage, both in terms of data loss and potential service disruptions.

Acreto Solution

Acreto’s Ecosystem solution can offer a comprehensive defense against the PowerDrop malware attack.

• Reduced Attack Surface By delivering dedicated security infrastructure per application, use-case, project, or third party, Acreto inherently limits access only to those entities that need to interoperate together. This significantly reduces the attack surface which attackers could exploit.

• Isolation Using micro-segmentation and nano-segmentation, Acreto isolates individual or groups of systems on a shared network or entire networks, limiting access only to systems that need to interoperate together. This approach could prevent the lateral movement of PowerDrop within your infrastructure.

• Encrypted Secure Scan As PowerDrop sends encrypted commands, Acreto’s Encrypted Secure Scan can decrypt, scan, and re-encrypt communications in real-time. This feature would allow it to detect and block malicious payloads embedded in the encrypted command from the C2 server.

• Access Control PowerDrop uses the ICMP protocol for its beaconing process, and with Acreto, you can control network protocols and ports that any ecosystem member can use. Limiting or scrutinizing ICMP usage could help in detecting PowerDrop’s beaconing process. Additionally, Acreto controls the application program and application protocol access, adding another layer of security.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

• Credit Cards Upload / Download Controls

• Social Security Number Upload / Download Controls

• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

Mechanisms of Attack

• Infection The initial compromise is unclear, but the attackers might deploy the PowerDrop script using an exploit, phishing emails, or spoofed software download sites.

• Execution PowerDrop is a PowerShell script that is executed by the Windows Management Instrumentation (WMI) service. It’s encoded using Base64 and functions as a backdoor or Remote Access Trojan (RAT).

• Registration PowerDrop registers previously created WMI event filters and consumers named ‘SystemPowerManager’ using the ‘wmic.exe’ command-line tool. This is done upon system compromise.

• Triggering WMI, a built-in Windows feature, is used to trigger PowerShell command queries for updates to a performance-monitoring class. This class is frequently updated with performance-related information, and the WMI event filter is triggered when the class is updated, leading to the execution of the PowerShell script. The filter is throttled to once every 120 seconds as long as the WMI class has been updated.

• Beaconing After the script is activated, PowerDrop sends a hardcoded ICMP echo to its Command and Control (C2) server address to indicate that a new infection is active. The payload of this ICMP echo is an unobfuscated UTF16-LE encoded string, which allows the C2 infrastructure to distinguish it from random probes.

• Command Reception and Execution After the beacon is sent, PowerDrop waits for a response from the C2 server, typically an encrypted and padded payload containing a command. The malware decrypts the payload using a hardcoded 128-bit AES key and a 128-bit initialization vector and executes the command on the infected host.

• Feedback The malware sends the results of the command execution back to the C2 server. If the results are too large, they’re split into 128-byte chunks and transmitted in a stream of multiple messages.

This strategy allows PowerDrop to stealthily infiltrate systems, execute commands remotely, and send valuable data back to attackers.

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.