In the ever-evolving stage of cybersecurity threats, a new player has emerged – CherryLoader. This malware operates with a deceptive strategy, camouflaging itself as the legitimate CherryTree note-taking application to trick unsuspecting users into installing the malicious payload. Unearthed in recent intrusions, CherryLoader has raised eyebrows among researchers due to its unique tactics and advanced capabilities. This article delves into the details of CherryLoader, exploring its malicious actions, consequences, and potential risks.
CherryLoader’s Unconventional Approach
CherryLoader takes on the guise of the authentic CherryTree note-taking application, exploiting the trust users place in legitimate software. This deceptive tactic aims to lure potential victims into unwittingly installing the malware, highlighting the evolving sophistication of modern cyber threats.
Researchers, including Hady Azzam, Christopher Prest, and Steven Campbell, have identified CherryLoader’s primary purpose – delivering either PrintSpoofer or JuicyPotatoNG, both classified as privilege escalation tools. These tools, in turn, execute a batch file, establishing persistence on the victim’s device.
CherryLoader’s Malicious Capabilities
A distinctive feature of CherryLoader is its modularized design, allowing threat actors to seamlessly swap exploits without recompiling code. This adaptability enables the loader to switch between different privilege escalation exploits, enhancing its evasiveness and making detection and mitigation more challenging.
CherryLoader’s distribution method is currently shrouded in mystery. However, cybersecurity experts have traced its presence in attack chains where it hides within a RAR archive file named “Packed.rar” hosted on the IP address 141.11.187[.]70. This underlines the importance of exercising caution while handling downloadable content, even from seemingly innocuous sources.
CherryLoader employs a fileless technique known as process ghosting during its execution. This technique, first identified in June 2021, enables the loader to manipulate the “NuxtSharp.Data” by decrypting it and writing its contents to a file named “File.log.”
The loader utilizes both PrintSpoofer and JuicyPotatoNG, two distinct privilege escalation tools, to elevate its privileges on the compromised system. The modular nature of CherryLoader allows threat actors to choose and execute the most effective tool for a given scenario.
Persistence and Disarming Microsoft Defender
Following successful privilege escalation, CherryLoader executes a batch file script called “user.bat.” This script establishes persistence on the host and disarms Microsoft Defender, further securing its foothold on the compromised system.
In conclusion, CherryLoader stands out as a newly identified multi-stage downloader equipped with various encryption methods and anti-analysis techniques. Its ability to seamlessly execute alternative privilege escalation exploits without recompiling code makes it a potent and adaptive threat. Cybersecurity experts are diligently monitoring and analyzing CherryLoader to develop effective countermeasures against this sophisticated malware. As threats continue to evolve, users must remain vigilant, adopt best security practices, and stay informed about emerging cybersecurity risks.