New CherryLoader Malware Mimics CherryTree to Deploy PrivEsc Exploits

A new Go-based malware loader called CherryLoader has been discovered by threat hunters in the wild to deliver additional payloads onto compromised hosts for follow-on exploitation.

Arctic Wolf Labs, which discovered the new attack tool in two recent intrusions, said the loader’s icon and name masquerades as the legitimate CherryTree note-taking application to dupe potential victims into installing it.

“CherryLoader was used to drop one of two privilege escalation tools, PrintSpoofer or JuicyPotatoNG, which would then run a batch file to establish persistence on the victim device,” researchers Hady Azzam, Christopher Prest, and Steven Campbell said.

In another novel twist, CherryLoader also packs modularized features that allow the threat actor to swap exploits without recompiling code.

It’s currently not known how the loader is distributed, but the attack chains examined by the cybersecurity firm show that CherryLoader (“cherrytree.exe”) and its associated files (“NuxtSharp.Data,” “Spof.Data,” and “Juicy.Data”) are contained within a RAR archive file (“Packed.rar”) hosted on the IP address 141.11.187[.]70.

Downloaded along with the RAR file is an executable (“main.exe”) that’s used to unpack and launch the Golang binary, which only proceeds if the first argument passed to it matches a hard-coded MD5 password hash.

The loader subsequently decrypts “NuxtSharp.Data” and writes its contents to a file named “File.log” on disk that, in turn, is designed to decode and run “Spof.Data” as “12.log” using a fileless technique known as process ghosting that first came to light in June 2021.

“This technique is modular in design and will allow the threat actor to leverage other exploit code in place of Spof.Data,” the researchers said. “In this case, Juicy.Data which contains a different exploit, can be swapped in place without recompiling File.log.”

The process associated with “12.log” is linked to an open-source privilege escalation tool named PrintSpoofer, while “Juicy.Data” is another privilege escalation tool named JuicyPotatoNG.

A successful privilege escalation is followed by the execution of a batch file script called “user.bat” to set up persistence on the host, disarm Microsoft Defender, and amend firewall rules to facilitate remote connections.

“CherryLoader is [a] newly identified multi-stage downloader that leverages different encryption methods and other anti-analysis techniques in an attempt to detonate alternative, publicly available privilege escalation exploits without having to recompile any code,” the researchers concluded.