Adlumin cybersecurity experts have discovered a new malicious script called “PowerDrop” that uses PowerShell and WMI to inject a hidden remote access trojan into compromised networks.
The script was identified by specialists in the network of one of the contractors of the US defense department and, apparently, belongs to a hacker group sponsored by the state.
Let me remind you that we also wrote about PureCrypter Malware Attacks Government Organizations in Asia and North America, and you might also be interested in the Washington Post Reveals How Russia’s Much-Vaunted Cyber Capability Failed in Ukraine article.
And also information security specialists said that Russian-speaking hackers attacked the government infrastructure of Poland.
PowerDrop is a PowerShell script executed by the Windows Management Instrumentation (WMI) service and encoded using Base64 to act as a backdoor or RAT.
Looking at the system logs, the researchers found that the malicious script was executed using previously logged WMI event filters and users named SystemPowerManager, created by the malware when it compromised the system using the “wmic.exe” command line tool.
According to Adlumin experts, the WMI event filter fires when a class is updated, which in turn triggers the execution of a PowerShell script. Filter operation is limited to once every 120 seconds.
Once activated, PowerDrop sends an encrypted ICMP request to its C2 server reporting a successful infection. It then waits 60 seconds for a response, which usually contains a command to execute.
The script then decrypts the received response from the server as a data packet using a hard-coded 128-bit AES key and a 128-bit initialization vector, and then executes the required command on the infected host.
After executing the command, PowerDrop sends the results back to the C2 server, and if they are too large, it splits them into 128-byte fragments, which are then transmitted in a stream of several messages.
Adlumin’s researchers concluded that the hackers’ use of PowerShell and WMI, combined with the fact that PowerDrop never accesses the disk and all its communications with the C2 server are carefully encrypted, makes the threat particularly stealthy.
Organizations, especially those in the US aerospace defense industry, need to remain vigilant against this threat by monitoring PowerShell execution and identifying unusual activity in WMI.
