A new Go-based malware loader called cherry loader Discovered by threat hunters in the wild, it can deliver additional payloads to compromised hosts for subsequent exploitation.
Arctic Wolf Labs, which discovered the new attack tool in two recent intrusions, said the loader’s icon and name disguised itself as the legitimate CherryTree note-taking application to trick potential victims into installing it.
Researchers Hady Azzam, Christopher Prest and Steven Campbell said: “CherryLoader was used to remove one of two privilege escalation tools, PrintSpoofer or JuicyPotatoNG. One, then runs a batch file to establish persistence on the victim device.”
In another novel twist, CherryLoader also includes modularization capabilities, allowing threat actors to swap vulnerabilities without recompiling the code.
It is unclear how the loader was distributed, but attack chains examined by the cybersecurity firm show CherryLoader (“cherrytree.exe”) and its associated files (“NuxtSharp.Data”, “Spof.Data” and “Juicy”). .Data”).Data”) is contained in a RAR archive file (“Packed.rar”) hosted on IP address 141.11.187[.]70.
Downloaded with the RAR archive is an executable (“main.exe”) that is used to decompress and launch the Golang binary, and it only fires if the first argument passed to it matches the hardcoded MD5 password hash. will continue.
The loader then decrypts “NuxtSharp.Data” and writes its contents to a file on disk named “File.log”, which in turn is designed to use fileless techniques to decode “Spof.Data” into “12. log” and run something called process ghosting, which was first exposed in June 2021.
“The modular design of this technique allows threat actors to replace Spof.Data with other vulnerable code,” the researchers said. “In this case, Juicy.Data containing different vulnerabilities can be used without recompiling File. .log.”
The process associated with “12.log” is linked to an open source privilege escalation tool called PrintSpoofer, while “Juicy.Data” is another privilege escalation tool called JuicyPotatoNG.
After successfully elevating privileges, a batch file script named “user.bat” is executed to set persistence on the host and disable Microsoft Defender.
“CherryLoader is [a] The newly discovered multi-stage downloader exploits different encryption methods and other anti-analysis techniques to attempt to detonate alternative, publicly available privilege escalation vulnerabilities without requiring any code to be recompiled. ” the researchers concluded.
