January 25, 2024 at 02:30AM
CherryLoader, a new Go-based malware loader, has been discovered by threat hunters. It masquerades as the legitimate CherryTree note-taking application to trick victims. The loader delivers privilege escalation tools and can swap out exploits without recompiling code. Its distribution method is unknown, but it is contained in a RAR archive file hosted on a specific IP address.
From the meeting notes, it appears that a new Go-based malware loader named CherryLoader has been discovered by threat hunters. This loader disguises itself as the legitimate CherryTree note-taking application to deceive potential victims into installing it. CherryLoader has been utilized to drop privilege escalation tools such as PrintSpoofer and JuicyPotatoNG, which are activated through a batch file to establish persistence on the victim device. Additionally, CherryLoader incorporates modularized features that enable threat actors to swap exploits without recompiling code.
The attack chain examined revealed that CherryLoader and associated files are contained within a RAR archive file hosted on a specific IP address. Upon downloading the RAR file, a Golang binary is launched, and the loader proceeds if a hard-coded MD5 password hash is provided. The loader then decrypts and executes files using process ghosting, a fileless technique. The modular design of this technique allows threat actors to leverage different exploit codes.
The process associated with the executed files leads to the activation of privilege escalation tools, followed by the execution of a batch file to set up persistence on the host and disarm Microsoft Defender. The researchers concluded that CherryLoader is a newly identified multi-stage downloader that strategically utilizes different encryption methods and exploits in an attempt to avoid recompiling code.
If you have any further questions or need additional information, feel free to ask.