HQ/EMEAFind out how we can help your business
A new Go-based loader named CherryLoader malware has emerged in the cybercriminal landscape.
Based on reports, the new malicious tool is a sophisticated malware that could deploy privilege escalation exploits. Moreover, this malicious software disguises itself as the legitimate CherryTree note-taking app, leveraging an icon and name that lures potential victims.
CherryLoader recently had two intrusions, highlighting its insidious nature. The malware’s primary feature is to deliver additional payloads onto compromised hosts that could serve as a gateway for other exploits.
The loader executes its attack by dropping PrintSpoofer or JuicyPotatoNG, two privilege escalation tools, onto the targeted device. Next, these tools run a batch file to establish persistence on the compromised system.
The new CherryLoader malware has a modularised infrastructure.
According to investigations, the unique aspect of CherryLoader malware is its modularised design that enables its operators to swap exploits seamlessly without recompiling code. In addition, the modular design allows threat actors to dynamically adapt and deploy different exploits, enhancing the malware’s stealthiness and effectiveness.
However, the method of CherryLoader distribution remains a mystery. Still, the initial study that dissected the attack claimed that the campaign starts with a RAR archive file (“Packed.rar”) hosted on the IP address 141.11.187[.]70.
Subsequently, CherryLoader and its associated files blend within this archive, with the primary executable (“main.exe”) responsible for unpacking and launching the Golang binary. This Golang binary only proceeds if the first argument matches a hard-coded MD5 password hash, adding an extra layer of sophistication for the malware operators.
Once executed, CherryLoader employs fileless tactics, such as process ghosting, to decrypt and run its payload. The modular design facilitates swapping different exploits, with “Juicy.Data” as an alternative to the initial “Spof.Data.”
The threat actors follow up the successful privilege escalation by executing a batch file script called “user.bat.” This technique allows the attackers to establish persistence on the compromised host and disarms Microsoft Defender.
In conclusion, CherryLoader is a newly identified multi-stage downloader that employs encryption and anti-analysis techniques to deploy publicly available privilege escalation exploits efficiently. Its mimicry of the legitimate CherryTree application and its modular design make CherryLoader the latest severe and adaptive threat.
