A new PowerShell-based virus named PowerDrop has been seen being used by an unidentified threat actor to attack the American aerospace sector.
According to Adlumin, which discovered the virus placed in an undisclosed domestic aerospace defense firm in May 2023, PowerDrop employs cutting-edge tactics to elude detection such as deception, encoding, and encryption.
The name is a combination of the script’s creation tool, Windows PowerShell, and the padding character “DROP” from the DROP (DRP) string.
PowerDrop is a post-exploitation tool, which means it’s made to collect data from target networks after gaining access to them via another method.
In order to start contact with a command-and-control (C2) server, the virus uses Internet Control Message Protocol (ICMP) echo request messages as beacons.
In turn, the server replies with an encrypted command that is deciphered and executed on the infected host. The instruction’s results are exfiltrated via a similar ICMP ping message.