Arctic Wolf Labs has identified a new threat in the wild known as CherryLoader, a malware loader built on Go that conceals its malicious intent by masquerading as the legitimate CherryTree note-taking application. The discovery emerged from recent intrusions, where CherryLoader was found to deliver additional payloads for subsequent exploitation on compromised systems. Notably, the loader employs an icon and name resembling CherryTree, aiming to deceive potential victims into unwittingly installing it.
The modus operandi of CherryLoader involves dropping privilege escalation tools, such as PrintSpoofer or JuicyPotatoNG, after successful installation. The researchers at Arctic Wolf Labs, including Hady Azzam, Christopher Prest, and Steven Campbell, detail that CherryLoader operates with a unique twist—it incorporates modularized features that allow threat actors to interchange exploits without the need for code recompilation. This adaptability provides a level of sophistication to the malware, enabling threat actors to stay agile and deploy alternative exploits seamlessly.
Despite the discovery of CherryLoader, the method of its distribution remains undisclosed. Examination of attack chains by the cybersecurity firm suggests that CherryLoader and its associated files are packaged within a RAR archive file hosted on a specific IP address. The archive file, named “Packed.rar,” contains executables such as “cherrytree.exe” and associated files like “NuxtSharp.Data,” “Spof.Data,” and “Juicy.Data.” The researchers emphasize the modular design of CherryLoader, noting that it leverages encryption methods and anti-analysis techniques to deploy various privilege escalation exploits without the need for recompiling any code.
In the intricate process, the RAR file also downloads an executable (“main.exe”) responsible for unpacking and launching the Golang binary. This binary execution proceeds only if a predefined MD5 password hash matches the first argument passed to it. The subsequent steps involve decryption, writing contents to files, and utilizing fileless techniques like process ghosting, adding layers of complexity to CherryLoader’s operation. The researchers conclude that CherryLoader represents a newly identified multi-stage downloader, showcasing its capacity to employ diverse encryption methods and anti-analysis techniques in an attempt to execute alternative privilege escalation exploits seamlessly.
