Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

SolarMarker Backdoor Pretends to be Legit PDFescape Installer

The modified installer of legit “PDFescape Desktop Installer” app looks like this:

Fake PDFescape Desktop Installer App
SHA-256: 0c933001de544ebc071d175d9f8e3bfad8066b532dc69dea4c713c52eb6a64a0

Cyren detects this kind of malware as W32/SolarMarker.A.gen!Eldorado.

Upon execution, It creates an encoded file under %Userdir%<randomchars><randomchars><randomchars><randomchars><randomchars><randomchars><randomchars> (encoded file). It then executes a Power Shell Script command to decode and execute the malicious script and delete the encoded file. Afterwards, it drops and executes a clean installer named “PDFescape_Desktop_Installer.exe”.

Code Snippet of Power Script Decoder and Executer

It then creates a copy in %appdata%Microsoft<randomchars><randomchars>.PS1. This is a copy of a malicious powershell script, and Cyren detects this as PSH/SolarMarker.A.

It then creates %appdata%MicrosoftWindowsStart MenuProgramsStartupa7e886f7e164c982a59aa5b4981aa.lnk (link file to <randomchars>.PS1.)
Cyren detects this as LNK/SolarMarker.A

It creates the following file %userprofile%APPDATAROAMINGSOLARMARKER.DAT, which contains a random 32 byte string to be used as malware_id.

Code Snippet of Solarmarker config file

It creates a null file %userprofile%APPDATAROAMING{Base64ENcodedString}. This string is based on the malware_id and malware_version.

Code Snippet of Null File using Malware ID and Version

The following information is encrypted before it is sent to the Command and Control (C&C) Server “192.121.87.53”.

{“action”:”ping”,”hwid”:”<malware_id>”,”pc_name”:”<GetComputerName>”,”os_name”:”<OS_Name>”,”arch”:”<x64|x86>”,”rights”:”Admin|User”,”version”:”<malware_version>”,”workgroup”:”<GetWorkGroup>”,”dns”:0,””:”protocol_version”:2}

Code Snippet of Information to be send to C&C Server

The following C&C commands are used:

  • file – downloads and executes malware in the following file type “exe” or “ps1”
  • command – executes a powershell script command

Code Snippet of C&C commands

You might also like