SolarMarker Backdoor Pretends to be Legit PDFescape Installer


The modified installer of legit "PDFescape Desktop Installer" app looks like this:

Fake PDFescape Desktop Installer App
SHA-256: 0c933001de544ebc071d175d9f8e3bfad8066b532dc69dea4c713c52eb6a64a0

Cyren detects this kind of malware as W32/SolarMarker.A.gen!Eldorado.

Upon execution, It creates an encoded file under %Userdir%\<randomchars>\<randomchars>\<randomchars>\<randomchars>\<randomchars>\<randomchars>\<randomchars> (encoded file). It then executes a Power Shell Script command to decode and execute the malicious script and delete the encoded file. Afterwards, it drops and executes a clean installer named "PDFescape_Desktop_Installer.exe".

Code Snippet of Power Script Decoder and Executer

It then creates a copy in %appdata%\Microsoft\<randomchars>\<randomchars>.PS1. This is a copy of a malicious powershell script, and Cyren detects this as PSH/SolarMarker.A.

It then creates %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\a7e886f7e164c982a59aa5b4981aa.lnk (link file to <randomchars>.PS1.)
Cyren detects this as LNK/SolarMarker.A

It creates the following file %userprofile%\APPDATA\ROAMING\SOLARMARKER.DAT, which contains a random 32 byte string to be used as malware_id.

Code Snippet of Solarmarker config file

It creates a null file %userprofile%\APPDATA\ROAMING\{Base64ENcodedString}. This string is based on the malware_id and malware_version.

Code Snippet of Null File using Malware ID and Version


The following information is encrypted before it is sent to the Command and Control (C&C) Server "".


Code Snippet of Information to be send to C&C Server

The following C&C commands are used:

  • file - downloads and executes malware in the following file type "exe" or "ps1"
  • command - executes a powershell script command

Code Snippet of C&C commands

Go back