New CherryLoader Malware Mimics CherryTree to Deploy PrivEsc Exploits

New CherryLoader Malware Mimics CherryTree to Deploy PrivEsc Exploits

A new Go-based malware loader called CherryLoader has been discovered by threat hunters in the wild to deliver additional payloads onto compromised hosts for follow-on exploitation.

Arctic Wolf Labs, which discovered the new attack tool in two recent intrusions, said the loader’s icon and name masquerades as the legitimate CherryTree note-taking application to dupe potential victims into installing it.

“CherryLoader was used to drop one of two privilege escalation tools, PrintSpoofer or JuicyPotatoNG, which would then run a batch file to establish persistence on the victim device,” researchers Hady Azzam, Christopher Prest, and Steven Campbell said.

It’s currently not known how the loader is distributed, but the attack chains examined by the cybersecurity firm show that CherryLoader (“cherrytree.exe”) and its associated files (“NuxtSharp.Data,” “Spof.Data,” and “Juicy.Data”) are contained within a RAR archive file (“Packed.rar”) hosted on the IP address 141.11.187[.]70.

Downloaded along with the RAR file is an executable (“main.exe”) that’s used to unpack and launch the Golang binary, which only proceeds if the first argument passed to it matches a hard-coded MD5 password hash.

A successful privilege escalation is followed by the execution of a batch file script called “user.bat” to set up persistence on the host, disarm Microsoft Defender, and amend firewall rules to facilitate remote connections.

“CherryLoader is [a] newly identified multi-stage downloader that leverages different encryption methods and other anti-analysis techniques in an attempt to detonate alternative, publicly available privilege escalation exploits without having to recompile any code,” the researchers concluded.