PowerDrop is not a specifically sophisticated tool although it does use standard ICMP (Internet Control Message Protocol) echo requests as a beacon back to C2 servers (Command and Control). When the C2 server gets a beacon, it responds with encrypted commands. These commands are decrypted and executed on the host (via a PowerShell call from WMI). Once executed PowerDrop then uses another ICMP echo request to exfiltrate the information in 128-byte chunks. This latter is to avoid triggering network monitoring for data exfiltration and is fairly common in terms of exfiltration techniques.
Again, PowerDrop seems to be relatively common in what it is doing and how it operates. The interesting part of it all is that the methods of detection evasion show a good working knowledge of how defenses are deployed in an environment. The use of small packets to avoid network monitors, the use of WMI to avoid child process detection rules, and even the obfuscated and encrypted commands show that this threat group is aware of best practices for security. They have created a tool that exists just outside of those practices and so were able to remain undetected for a while.
Again, we see that attackers know the normal security practices well and are quite capable of developing simple techniques and tools that are good enough to get in and remain hidden by those common security practices. Something must change in the way security is “done”, we cannot continue to do what has always been done and expect anything other than failure. Cybersecurity needs to become more than chasing numbers and metrics. It must become more proactive and dynamic to meet the evolving threat landscape.