Arctic Wolf Labs has recently discovered a new threat called CherryLoader [3], a Go-based malware loader that disguises itself as the legitimate CherryTree note-taking application [3]. This loader is notable for its modularized features, allowing threat actors to easily swap out exploits without recompiling code [1] [2]. It drops privilege escalation tools to establish persistence on victim devices. The exact method of distribution for CherryLoader remains undisclosed, but it is believed to be packaged within a RAR archive file hosted on a specific IP address [3].
Description
CherryLoader is a newly identified threat that poses a significant risk to users. It masquerades as the CherryTree application [1] [2], deceiving victims into installing it [2]. Once installed, CherryLoader utilizes encryption methods and anti-analysis techniques to deploy privilege escalation exploits without recompiling any code [3]. It incorporates modularized features [3], enabling threat actors to easily swap out exploits. The loader drops privilege escalation tools [1] [2], such as PrintSpoofer or JuicyPotatoNG [1] [2], to establish persistence on victim devices [2].
The distribution method for CherryLoader is currently undisclosed [2] [3], but it is believed to be packaged within a RAR archive file hosted on a specific IP address [3]. This archive file contains various executables and associated files [3]. Upon being downloaded, the RAR file initiates the execution of an executable responsible for unpacking and launching the Golang binary. However, a predefined MD5 password hash is required to execute this binary.
One intriguing aspect of CherryLoader is its use of fileless techniques, specifically a technique called process ghosting [1] [2]. This adds an extra layer of complexity to its operation. CherryLoader has been identified as a multi-stage downloader that employs diverse encryption methods and anti-analysis techniques [3].
Conclusion
CherryLoader presents a significant threat as it disguises itself as a legitimate application and utilizes various techniques to evade detection and successfully deploy privilege escalation exploits. Its modularized features and fileless techniques make it a sophisticated and adaptable threat. Mitigating this threat requires robust security measures and awareness among users. The discovery of CherryLoader highlights the ongoing need for vigilance and proactive defense against evolving malware threats.
References
[1] https://thehackernews.com/2024/01/new-cherryloader-malware-mimics.html
[2] https://flyytech.com/2024/01/25/new-cherryloader-malware-mimics-cherrytree-to-deploy-privesc-exploits/
[3] https://cybermaterial.com/cherryloader-unveils-modular-malware/