CherryLoader Malware Disguised as CherryTree Unleashes Escalation Exploits

In a recent discovery, threat hunters have identified a new Go-based malware loader named CherryLoader, designed to deploy additional payloads for subsequent exploitation on compromised hosts. During two recent intrusions, CherryLoader cleverly camouflages itself by adopting the icon and name of the legitimate CherryTree note-taking application, aiming to deceive potential victims into unwittingly installing the malware.

Researchers detailed that CherryLoader is employed to drop one of two privilege escalation tools—PrintSpoofer or JuicyPotatoNG. Subsequently, a batch file is executed to establish persistence on the victim’s device. Notably, CherryLoader introduces a unique feature by incorporating modularized components, allowing threat actors to interchange exploits without the need for recompiling the code.

While the distribution method of CherryLoader remains undisclosed, cybersecurity experts have traced the attack chains to an IP address (141.11.187[.]70) hosting a RAR archive file (“Packed.rar”). Within this archive, CherryLoader, represented as “cherrytree.exe,” and associated files such as “NuxtSharp.Data,” “Spof.Data,” and “Juicy.Data” are contained. Additionally, an executable file (“main.exe”) is downloaded alongside the RAR file, serving to unpack and launch the Golang binary. Importantly, the binary execution is conditional upon a hard-coded MD5 password hash match as the first argument.

Following successful execution, CherryLoader decrypts “NuxtSharp.Data” and writes its contents to a file named “File.log” on the disk. This file utilizes a fileless technique called process ghosting, initially observed in June 2021, to decode and run “Spof.Data” as “12.log.” Notably, the modular design of this technique enables threat actors to seamlessly swap in other exploit codes, with “Juicy.Data” being one such alternative, without the need for code recompilation.

The processes associated with “12.log” are linked to PrintSpoofer, an open-source privilege escalation tool, or JuicyPotatoNG, another privilege escalation tool, depending on the swapped-in exploit. A successful privilege escalation triggers the execution of a batch file script, “user.bat,” which establishes persistence on the host, disarms Microsoft Defender, and modifies firewall rules to facilitate remote connections.

CherryLoader stands out as a newly identified multi-stage downloader, showcasing sophistication through diverse encryption methods and anti-analysis techniques. The malware’s ability to dynamically deploy privilege escalation exploits without code recompilation adds a layer of complexity to its threat profile, requiring continued vigilance from the cybersecurity community.

To safeguard against the CherryLoader malware and its deceptive tactics, users should exercise caution when downloading applications, especially from unofficial sources. Implementing robust cybersecurity practices, such as keeping software and security tools up-to-date, regularly scanning for malware. Additionally, organizations should implement network security measures to detect and block malicious activities.