Powerdrop

PowerDrop is a custom, stealthy malware that primarily targets the US aerospace industry. It leverages advanced evasion techniques such as deception, encoding, and encryption to bypass detection. The malware operates via Windows Management Instrumentation (WMI), does not reside on disk, and uses uncommon methods for communication and data exfiltration, making it difficult for traditional security tools to detect. Its unique approach and implementation suggest it could be associated with Advanced Persistent Threat (APT) activity. However, specific attribution to a known threat actor remains unclear, adding an element of mystery to PowerDrop. The Adlumin team issued an advisory regarding PowerDrop, noting its significant threat to the aerospace industry. PowerDrop can seamlessly blend within network management transactions by encoding PowerShell command line arguments and leveraging WMI persistence. It also employs unique command and control techniques, utilizing Internet Control Message Protocol (ICMP) for data exfiltration. The malware has the ability to bypass commonly deployed security tools like Security Information and Event Management (SIEM) systems and Endpoint Detection and Response (EDR) software, further exacerbating the risk it poses to targeted industries. In response to the PowerDrop threat, MixMode's Third Wave AI offers a solution capable of detecting and mitigating this malicious PowerShell script before it causes widespread damage. Interestingly, PowerDrop registers itself as 'SYSTEMPOWERMANAGER', a misleading name that helps it avoid detection. The geopolitical context, including the war in Ukraine and political tensions in Taiwan, intensifies the gravity of the situation. While researchers suspect the perpetrators of PowerDrop may be associated with a nation-state, definitive evidence has yet to be found. Analysts recommend red team exercises or AI-driven behavioral analysis to protect against PowerDrop and similar Living off the Land (LotL) malware.