January 25, 2024 at 12:52PM
Researchers have detected a threat actor utilizing a new, sophisticated downloader named “CherryLoader” to gain admin-level access on systems. The attacker also utilized privilege escalation tools from the “potato” family. CherryLoader’s notable feature is its ability to swap payloads without recompiling code, enhancing flexibility and evading detection.
Based on the meeting notes, the key takeaways are:
1. Threat actor achieved admin-level access on targeted systems using a new, sophisticated downloader called “CherryLoader” and privilege escalation tools from the “potato” family.
2. CherryLoader is a multistage, modular loader written in Golang, which masquerades as legitimate software and has the ability to seamlessly swap payloads without recompiling any code.
3. The attacker deployed two notable off-the-shelf tools, PrintSpoofer and JuicyPotatoNG, for gaining admin access.
4. The attacker also used a batch file script called user.bat for persistence and anti-analysis functions, including creating an admin account, whitelisting and excluding executable files in Windows Defender and Microsoft Defender, disabling Microsoft defender AntiSpyware, and amending firewall rules to enable remote connections.
5. Arctic Wolf declined to comment on the outcome of either intrusion in this campaign.
These takeaways reflect the main points discussed in the meeting notes regarding the recent intrusions and the tactics used by the threat actor to gain admin access on targeted systems.