Keypoints
- SolarMarker actors now use PyInstaller to package and hide malicious Python payloads that contain first-stage PowerShell scripts.
- Initial lure was a malicious file disguised as a PDF downloaded from a website impersonating Loma Linda University.
- The dropped executable (example: ChildCareWaiverRequest.exe, MD5: 02df78385af891a268212f6093b91154) extracts files into C:UsersusernameAppDataLocalTemp_MEI*.
- Decompiled Python code decodes base64 blobs; the first blob is a decoy PDF and the second is an AES-encrypted SolarMarker backdoor.
- The loader spawns powershell.exe with CREATE_NO_WINDOW to execute base64-decoded scripts silently.
- eSentire’s SOC isolated the host, demonstrating detection via process and artifact analysis and the value of decompilation capabilities.
MITRE Techniques
- [T1027] Obfuscated Files or Information – Use of PyInstaller to conceal the malicious Python and embedded scripts (‘SolarMarker malware campaigns are now utilizing PyInstaller to hide malicious PowerShell scripts’).
- [T1027.002] Software Packing – Packaging the first-stage payload and dependencies into a single executable and extracting to a Temp _MEI folder (‘…dropped under “C:UsersusernameAppDataLocalTemp_MEI*” folder’).
- [T1132] Data Encoding – Base64-encoded blobs are decoded by the Python payload to retrieve the decoy PDF and encrypted backdoor (‘the code decodes base64-encoded strings, spawns a new process (powershell.exe), and executes the base64-decoded script within that process’).
- [T1059.001] Command and Scripting Interpreter: PowerShell – The malware spawns powershell.exe and executes the decoded script using subprocess with CREATE_NO_WINDOW (‘spawns a new process (powershell.exe) and executes the base64-decoded script within that process’).
- [T1204.002] User Execution: Malicious File – The attack relied on a user downloading and running a file disguised as a PDF from a fake university site (‘The user downloaded a malicious file disguised as a PDF document from a website hosted by threat actors’).
- [T1036] Masquerading – The distribution site impersonated Loma Linda University to trick victims (‘This site…masqueraded as Loma Linda University’).
Indicators of Compromise
- [File name / MD5] initial payload and decoy – ChildCareWaiverRequest.exe (MD5: 02df78385af891a268212f6093b91154), ~BH-04918471412496586.pdf (MD5: 3ccb3a9ab45b0f6019c7fcefaea15e8f)
- [File path] PyInstaller extraction – C:UsersusernameAppDataLocalTemp_MEI* (temporary folder where compiled Python and dependencies are dropped)
- [Hosting / Domain] distribution site – malicious website impersonating Loma Linda University (URL not provided in article); reference/source: https://www.esentire.com/blog/solarmarkers-shift-to-pyinstaller-tactics
eSentire observed SolarMarker actors switch to PyInstaller-packaged executables as the first-stage delivery mechanism. The distributed EXE (example: ChildCareWaiverRequest.exe) extracts a compiled Python runtime and associated files into a Temp _MEI* folder, then spawns a suspended process to run the embedded .pyc component. Decompilation of that Python component shows constants for base64 decoding and subprocess creation; the decoded blobs include a decoy PDF and an AES-encrypted payload which is decrypted and loaded via a dynamically loaded assembly method.
The loader uses subprocess to start powershell.exe with the CREATE_NO_WINDOW flag and executes base64-decoded PowerShell scripts, enabling silent execution. The campaign combines PyInstaller packing, base64 encoding, AES encryption, and masquerading via a fake university site to evade basic defenses—so indicators to monitor include the specific EXE/MD5s, _MEI extraction folders, unexpected powershell.exe invocations with encoded payloads, and downloaded decoy documents.
Detection and response should focus on process ancestry and creation (suspended process patterns, _MEI extraction behavior), capability to decompile and inspect embedded Python blobs, and rapid isolation of hosts exhibiting the above artifacts to prevent backdoor establishment.
Read more: https://www.esentire.com/blog/solarmarkers-shift-to-pyinstaller-tactics