Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

SolarMarker Backdoor Pretends to be Legit PDFescape Installer

The modified installer of legit “PDFescape Desktop Installer” app looks like this:

Fake PDFescape Desktop Installer App
SHA-256: 0c933001de544ebc071d175d9f8e3bfad8066b532dc69dea4c713c52eb6a64a0

Cyren detects this kind of malware as W32/SolarMarker.A.gen!Eldorado.

Upon execution, It creates an encoded file under %Userdir%<randomchars><randomchars><randomchars><randomchars><randomchars><randomchars><randomchars> (encoded file). It then executes a Power Shell Script command to decode and execute the malicious script and delete the encoded file. Afterwards, it drops and executes a clean installer named “PDFescape_Desktop_Installer.exe”.

Code Snippet of Power Script Decoder and Executer

It then creates a copy in %appdata%Microsoft<randomchars><randomchars>.PS1. This is a copy of a malicious powershell script, and Cyren detects this as PSH/SolarMarker.A.

It then creates %appdata%MicrosoftWindowsStart MenuProgramsStartupa7e886f7e164c982a59aa5b4981aa.lnk (link file to <randomchars>.PS1.)
Cyren detects this as LNK/SolarMarker.A

It creates the following file %userprofile%APPDATAROAMINGSOLARMARKER.DAT, which contains a random 32 byte string to be used as malware_id.

Code Snippet of Solarmarker config file

It creates a null file %userprofile%APPDATAROAMING{Base64ENcodedString}. This string is based on the malware_id and malware_version.

Code Snippet of Null File using Malware ID and Version

The following information is encrypted before it is sent to the Command and Control (C&C) Server “192.121.87.53”.

{“action”:”ping”,”hwid”:”<malware_id>”,”pc_name”:”<GetComputerName>”,”os_name”:”<OS_Name>”,”arch”:”<x64|x86>”,”rights”:”Admin|User”,”version”:”<malware_version>”,”workgroup”:”<GetWorkGroup>”,”dns”:0,””:”protocol_version”:2}

Code Snippet of Information to be send to C&C Server

The following C&C commands are used:

  • file – downloads and executes malware in the following file type “exe” or “ps1”
  • command – executes a powershell script command

Code Snippet of C&C commands

You might also like

The Resurgence of Emotet

by Kervin Alintanahim Password Protected Docs One of the most recent Emotet samples we received were emails with password protected attachments. Although the malicious document needs an extra step to be accessed compared to just being attached as it is, the additional...