Hackers utilizing native Windows tools have managed to infect at least one US defense contractor with a novel backdoor, which could have paved the way for additional malware implantation or worse.
In a report published June 6, researchers from Adlumin nicknamed the backdoor “PowerDrop,” after a “DRP” string used in the code, and because it’s based in Powershell — the dual command shell-plus-scripting language.
“Because it’s through Windows PowerShell, PowerDrop essentially has full access to the computer,” explains Kevin O’Connor, director of threat research at Adlumin. “It runs with administrative privileges, and the attackers can issue any remote command they want.”
How PowerDrop LotLs
Overall, PowerDrop “straddles the line between what you see from advanced persistent threats (APTs), and the more basic script kiddie stuff,” O’Connor assesses. “It has some unique security precautions to protect itself but it also in some ways messes those up.”
For example, to avoid making too much noise, PowerDrop splits any large messages sent to and from the target machine into multiple, smaller messages. It also encrypts its payloads. To do so, however, “it uses a static key that doesn’t ever change, to encrypt everything. And so it’s really detectable,” O’Connor says.
Any shortcomings are made up for, however, by the hackers’ shrewd use of standard-fare Windows programs in a “living-off-the-land” (LotL) strategy.
To establish persistence, the attack employs Windows Management Instrumentation (WMI) — an interface designed to help system administrators manage various aspects of their operational environments — to register itself as a legitimate service.
As a result, O’Connor says, “it looks like anything else that would be registered on the system, and it doesn’t leave malicious files on the disk.”
Most importantly, PowerDrop isn’t anything more than a PowerShell script.
PowerShell is popular among hackers for two primary reasons. First, because it’s so ubiquitously used for perfectly legitimate IT tasks, it allows malicious behavior to more easily sneak past prying eyes.
Beyond that, PowerShell affords significant powers over a Windows computer, whether the user wielding it is an IT manager or hacker. PowerDrop could have enabled its proprietors to operate at the admin level in the defense contractor’s network, stealing data or executing commands almost without restraint.
Nation-State Actor Likely Behind PowerDrop
Thus far, PowerDrop has been confirmed only to have compromised one domestic aerospace company, and scant details are available on the actual attack.
But, O’Connor qualifies, “we’ve actually had reports of other users having found this — it looks like there may be a common piece of software that this is associated with — we just haven’t been able to tie it down yet.”
Considering the nature of the victim and the malware, the researchers suspect the perpetrators of PowerDrop may be associated with a nation-state. The gravity of that is only compounded by the backdrop of war in Ukraine, and political tensions in Taiwan.
Addressing LotL Attacks
To protect against PowerDrop and similar LotL malware, analysts can try approaches like red team exercises, or AI-driven behavioral analysis that prioritizes the nature of a program’s actions rather than simply what it’s made of.
For his part, O’Connor suggests a few more straightforward steps that aerospace organizations and similar high-value targets can take, such as whitelisting: only allowing trusted applications and processes to run on a system.
Additionally, he says, organizations can “make sure that they have script block logging enabled, which actually shows you the decoded PowerShell commands that are running,” beyond just the command line arguments that encase them.
Admins might also consider auditing WMI events. WMI, O’Connor points out, “is really commonly used by malware as a way to persist these days. A lot of people aren’t looking at those jobs. But if you go in, you can see how this malware registers itself as ‘SYSTEMPOWERMANAGER’, and … it’s not system power managing.” This and other precautions, together, might be enough to fend off a backdoor as clever but imperfect as PowerDrop.
“It’s really cool stuff,” O’Connor says, reflecting on his discovery. “I’ve worked at the NSA for years, and I just love this kind of stuff.”