Flexibility and variability are the main weapons of the new malware.
Arctic Wolf researchers have discovered a new malicious downloader written in the Go language called CherryLoader. Previously, this threat has already been seen in the wild (ITW) in order to deliver additional malware to infected hosts for subsequent exploitation.
The downloader, discovered in two recent intrusions, uses an icon and name disguised as a legitimate note-taking app, CherryTree, to trick potential victims into installing it.
Experts note that CherryLoader was used to install one of two legitimate OpenSource privilege escalation tools-PrintSpoofer or JuicyPotatoNG-which then ran a batch file to establish a permanent presence on the victim's device.
Another innovative feature of CherryLoader is its modularity, which allows attackers to change exploits without having to recompile the code.
Currently, it is not known how the loader is distributed, but a study of attack chains showed that CherryLoader ("cherrytree.exe") and its associated files ("NuxtSharp.Data"," Spof.Data", and" Juicy.Data") are contained in the RAR archive file ("Packed.rar") posted by The IP address is "141.11.187 [.] 70".
An executable file is loaded along with the RAR archive ("main.exe"), which is used to decompress and run a Golang binary file that continues only if the first argument passed to it matches the hard-coded MD5 password hash.
Next, the bootloader decrypts "NuxtSharp. Data" and writes its contents to a "File.log" file on disk, which in turn is designed to decode and run "Spof.Data" as "12.log" using a file-less technique known as "Process Ghosting", which was first implemented in the first place. described by researchers in June 2021.
This technique is modular in design and allows an attacker to use a different exploit instead of "Spof. Data". In this case, "Juicy. Data" containing a different exploit can be replaced without recompiling "File. log".
The process associated with "12.log" is associated with the OpenSource privilege escalation tool PrintSpoofer, while "Juicy.Data" is another privilege escalation tool called JuicyPotatoNG.
Successful privilege escalation is followed by executing the batch script file "user. bat" to establish a permanent presence on the host and disable Microsoft Defender.
The researchers concluded that CherryLoader is a new multi-step loader that uses various encryption and anti-analysis techniques in an attempt to exploit alternative, publicly available privilege escalation exploits without having to recompile any code.
Arctic Wolf researchers have discovered a new malicious downloader written in the Go language called CherryLoader. Previously, this threat has already been seen in the wild (ITW) in order to deliver additional malware to infected hosts for subsequent exploitation.
The downloader, discovered in two recent intrusions, uses an icon and name disguised as a legitimate note-taking app, CherryTree, to trick potential victims into installing it.
Experts note that CherryLoader was used to install one of two legitimate OpenSource privilege escalation tools-PrintSpoofer or JuicyPotatoNG-which then ran a batch file to establish a permanent presence on the victim's device.
Another innovative feature of CherryLoader is its modularity, which allows attackers to change exploits without having to recompile the code.
Currently, it is not known how the loader is distributed, but a study of attack chains showed that CherryLoader ("cherrytree.exe") and its associated files ("NuxtSharp.Data"," Spof.Data", and" Juicy.Data") are contained in the RAR archive file ("Packed.rar") posted by The IP address is "141.11.187 [.] 70".
An executable file is loaded along with the RAR archive ("main.exe"), which is used to decompress and run a Golang binary file that continues only if the first argument passed to it matches the hard-coded MD5 password hash.
Next, the bootloader decrypts "NuxtSharp. Data" and writes its contents to a "File.log" file on disk, which in turn is designed to decode and run "Spof.Data" as "12.log" using a file-less technique known as "Process Ghosting", which was first implemented in the first place. described by researchers in June 2021.
This technique is modular in design and allows an attacker to use a different exploit instead of "Spof. Data". In this case, "Juicy. Data" containing a different exploit can be replaced without recompiling "File. log".
The process associated with "12.log" is associated with the OpenSource privilege escalation tool PrintSpoofer, while "Juicy.Data" is another privilege escalation tool called JuicyPotatoNG.
Successful privilege escalation is followed by executing the batch script file "user. bat" to establish a permanent presence on the host and disable Microsoft Defender.
The researchers concluded that CherryLoader is a new multi-step loader that uses various encryption and anti-analysis techniques in an attempt to exploit alternative, publicly available privilege escalation exploits without having to recompile any code.
