Tag Archive for: PowerShell

“PowerDrop” PowerShell Malware Targets US Aerospace Industry


A new PowerShell malware script named “PowerDrop” has been discovered to be used in attacks targeting the aerospace defense industry in the US.

The malware was discovered by security researchers at Adlumin, who last month found a sample of the malware in a defense contractor’s network.

On Tuesday, the Adlumin team published an advisory about PowerDrop, saying the malware “straddles the line between a ‘basic off-the-shelf threat’ and tactics used by Advanced Persistent Threat Groups (APTs).”

PowerDrop relies on advanced techniques to evade detection, including deception, encoding and encryption.

“The code for PowerDrop appears to be custom, designed to be stealthy and evade detection, executed via WMI, does not reside on disk, uses uncommon methods for communication and exfiltration of data and is not available as an off-the-shelf product,” explained James Lively, endpoint security research specialist at Tanium.

“[However], based on the capabilities of PowerDrop, how they are implemented, and how the threat actor is using PowerDrop in the aerospace industry, it is indicative of Advanced Persistent Threat (APT) activity.”

Andrew Barratt, vice president at Coalfire, added that criminal actors typically utilize PowerShell because of its extensive range of features and its capability to avoid detection by leveraging existing infrastructure in commonly used computing environments.

“These are useful because they can be easily dropped into a working environment by email or USB and don’t require a sophisticated zero-day to be burned as part of the attack,” Barratt added.

“The US and allies’ primary weapons system’s manufacturers should be on high alert for this activity and be critically monitoring their supply chains in case they become a source of attack.”

Read more on PowerShell malware: Microsoft Blames Clop Affiliate for PaperCut Attacks

Adlumin stated in their advisory that the perpetrator behind PowerDrop had not been specifically identified, but they suspect that nation-state hackers may be involved. 

“The absence of a clear attribution to a specific threat actor further deepens the mystery surrounding PowerDrop,” said Craig…

Source…

Gootloader malware gets an update with PowerShell tech • The Register


The operators behind Gootloader, a crew dubbed UNC2565, have upgraded the code in cunning ways to make it more intrusive and harder to find.

Researchers with Google-owned security shop Mandiant started seeing significant changes to the Gootloader malware package – also known as Gootkit – in November 2022, including using multiple variations of FONELAUNCH, a .NET-based loader, as well as some newly developed payloads and obfuscation techniques. There are also changes in its infection chain, including a new variant called Gootloader.PowerShell.

“These changes are illustrative of UNC2565’s active development and growth in capabilities,” the researchers wrote in a report, adding that the group is the only one known to use the malware.

A Gootloader infection starts via a search engine optimization (SEO) poisoning attack, with a victim who is searching online for business-related documents, such as templates, agreements, or contracts, being lured into going to a website compromised by the criminal gang.

On the site are documents that actually are malicious ZIP archives housing malware written in JavaScript. Once the file is opened and the malware activated, more payloads like Cobalt Strike, FONELAUNCH, and SNOWCONE are added, as well as another collection of downloaders with payloads including the high-profile IcedID banking trojan.

Three months ago, Mandiant researchers began seeing the Gootloader.PowerShell variant, which includes an infection chain that that writes a second JavaScript file to the system’s disk that reaches out to 10 hard-coded URLs, with each request containing encoded data about the compromised system, such the versions of Windows it’s using, processes running and filenames.

This one isn’t stopping

Gootloader in the months since May 2021 has used three variants of FONELAUNCH – FONELAUNCH.FAX, FONELAUNCH.PHONE, and FONELAUNCH.DIALTONE.

“The evolution of FONELAUNCH variants over time has allowed…

Source…

Fileless Ransomware: Powershell Netwalker



Who is connected to my wifi