A new Go-based malware loader named CherryLoader has surfaced in the wild, posing a significant threat by delivering additional payloads onto compromised hosts for subsequent exploitation.
CherryLoader Malware Loader in Detail
CherryLoader operates deceptively, disguising itself as the legitimate CherryTree note-taking application to lure potential victims into unknowingly installing the malware. Unearthed in two recent intrusions, this sophisticated loader has raised concerns due to its unique tactics and capabilities.
According to a report by researchers Hady Azzam, Christopher Prest, and Steven Campbell, CherryLoader is employed to drop either PrintSpoofer or JuicyPotatoNG – two privilege escalation tools. These tools, in turn, execute a batch file to establish persistence on the victim’s device.
CherryLoader’s Malicious Capabilities
A noteworthy aspect of CherryLoader is its ability to incorporate modularized features, allowing threat actors to swap exploits seamlessly without the need for recompiling code. The loader’s distribution method is currently unknown, but cybersecurity experts have traced its presence in attack chains where it is concealed within a RAR archive file named “Packed.rar” hosted on the IP address 141.11.187[.]70.
Upon downloading the RAR file, an executable (“main.exe”) unpacks and launches the Golang binary, which proceeds only if the first argument matches a hard-coded MD5 password hash. The loader then decrypts “NuxtSharp.Data” and writes its contents to a file named “File.log,” utilizing a fileless technique known as process ghosting, first identified in June 2021.
The modular design of CherryLoader enables the threat actor to substitute exploits without recompiling code. For instance, the loader can switch from “Spof.Data” to “Juicy.Data” seamlessly, each containing distinct privilege escalation exploits.
The process associated with “12.log” is linked to the open-source privilege escalation tool PrintSpoofer, while “Juicy.Data” deploys another privilege escalation tool known as JuicyPotatoNG. Following successful privilege escalation, a batch file script called “user.bat” is executed, establishing persistence on the host and disarming Microsoft Defender.
Conclusion
In conclusion, CherryLoader emerges as a newly identified multi-stage downloader employing various encryption methods and anti-analysis techniques. Its ability to execute alternative privilege escalation exploits without recompiling code makes it quite a potent threat. Security experts continue to monitor and analyze CherryLoader to develop effective countermeasures against this sophisticated malware.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: