A brand new Go-based malware loader referred to as CherryLoader has been found by risk hunters within the wild to ship further payloads onto compromised hosts for follow-on exploitation.
Arctic Wolf Labs, which found the brand new assault software in two latest intrusions, mentioned the loader’s icon and title masquerades because the official CherryTree note-taking software to dupe potential victims into putting in it.
“CherryLoader was used to drop one in every of two privilege escalation instruments, PrintSpoofer or JuicyPotatoNG, which might then run a batch file to determine persistence on the sufferer system,” researchers Hady Azzam, Christopher Prest, and Steven Campbell mentioned.
In one other novel twist, CherryLoader additionally packs modularized options that permit the risk actor to swap exploits with out recompiling code.
It is presently not recognized how the loader is distributed, however the assault chains examined by the cybersecurity agency present that CherryLoader (“cherrytree.exe”) and its related recordsdata (“NuxtSharp.Information,” “Spof.Information,” and “Juicy.Information”) are contained inside a RAR archive file (“Packed.rar”) hosted on the IP deal with 141.11.187[.]70.
Downloaded together with the RAR file is an executable (“fundamental.exe”) that is used to unpack and launch the Golang binary, which solely proceeds if the primary argument handed to it matches a hard-coded MD5 password hash.
The loader subsequently decrypts “NuxtSharp.Information” and writes its contents to a file named “File.log” on disk that, in flip, is designed to decode and run “Spof.Information” as “12.log” utilizing a fileless approach generally known as course of ghosting that first got here to mild in June 2021.
“This method is modular in design and can permit the risk actor to leverage different exploit code rather than Spof.Information,” the researchers mentioned. “On this case, Juicy.Information which incorporates a special exploit, will be swapped in place with out recompiling File.log.”
The method related to “12.log” is linked to an open-source privilege escalation software named PrintSpoofer, whereas “Juicy.Information” is one other privilege escalation software named JuicyPotatoNG.
A profitable privilege escalation is adopted by the execution of a batch file script referred to as “consumer.bat” to arrange persistence on the host and disarm Microsoft Defender.
“CherryLoader is [a] newly recognized multi-stage downloader that leverages completely different encryption strategies and different anti-analysis methods in an try and detonate various, publicly obtainable privilege escalation exploits with out having to recompile any code,” the researchers concluded.