Novel PowerDrop malware attacks have been launched against U.S. aerospace defense organizations, with a U.S. defense contractor's network discovered to have already been compromised, BleepingComputer
Both Windows Management Instrumentation and PowerShell
have been leveraged by PowerDrop to facilitate persistent remote access trojan creation on impacted networks, according to an Adlumin report.
Exploits, phishing emails, and fraudulent software download sites may have been used by threat actors to distribute PowerDrop, which had its malicious script executed through already registered WMI event filters and consumers.
"The WMI event filter is triggered when the WMI class is updated, which then triggers the execution of the PowerShell script. Triggering by the filter is throttled to once every 120 seconds so long as the WMI class has been updated," said Adlumin.
The report also showed that command execution results are being split by PowerDrop into multiple 128-byte chunks should they be deemed to be too large.