Cyber News - Living off the Land Attacks Against US Aerospace Industry
A current example of Living Off the Land (LOTL) attack methods
A new attack targeting the US aerospace industry has been identified, initially discovered in May by Adlumin Research. The techniques used in the attack include the use of a malicious PowerShell script called PowerDrop. The researchers and others in the cyber industry suspect the attack (or series of attacks) is/are being carried out by a nation-state level adversary group, though that is not confirmed. There are a coupe of notable things about this new attack.
The first notable aspect of this attack is that it started as a supply chain attack. Meaning that the adversary group first compromised a supplier / partner company of the intended target or, in this case, targets.
The malware, dubbed PowerDrop, was found implanted on the network of an unnamed defense contractor in May …
The second and even more interesting aspect of this attack is the LOTL techniques used in it. It uses tools that are not only part of Windows systems, but are essential, core components of those systems - namely the windows PowerShell scripting language and Windows Management Instrumentation (WMI) - which is used to manage and monitor systems in Windows environments. This makes it less likely that alerts will be sent by security tools and in turn makes it significantly harder for the attack techniques to be detected. Cloud Security Alliance has a nice breakdown on some of the details around this in this attack:
PowerDrop used ICMP (ping request) to keep track of whether these machines were in an active state.
PowerDrop has a 120-second interval for network traffic. This means the system waits 120 seconds to send traffic or request traffic from the victim's machine; this makes it harder to detect as thousands of logs flood a system per second. Therefore, the higher the wait interval, the harder malware is to detect, as it appears much less often within network logs.
It also runs once as a single PowerShell command. Therefore, no PowerShell file (PS1) must live within the victim's machine to take effect, making detection, analysis, or dissection of the malware harder.
(emphasis mine in that last bullet point)
You can learn a bit more on how LOTL attacks work in my recent Cybersecurity Terms: Living off the Land post from a couple months back. And you can some of tbe reporting on the PowerDrop attack at: