A new malware loader called CherryLoader has been discovered by Arctic Wolf Labs. It disguises itself as the legitimate CherryTree note-taking application to trick victims into installing it. CherryLoader is used to deliver additional payloads onto compromised hosts for further exploitation. It can drop privilege escalation tools, such as PrintSpoofer or JuicyPotatoNG, to establish persistence on the victim’s device. CherryLoader is also modular, allowing the threat actor to swap exploits without recompiling code.
The distribution method of CherryLoader is currently unknown. However, the attack chains analyzed by Arctic Wolf Labs show that the malware and its associated files are contained within a RAR archive file hosted on a specific IP address. The loader decrypts and runs the files, using a fileless technique called process ghosting. This technique allows the threat actor to leverage other exploit code, such as JuicyPotatoNG, without recompiling.
The processes associated with the exploited files are open-source privilege escalation tools called PrintSpoofer and JuicyPotatoNG. After a successful privilege escalation, a batch file script called “user.bat” is executed to set up persistence on the host and disarm Microsoft Defender. CherryLoader is a multi-stage downloader that uses encryption methods and anti-analysis techniques to detonate privilege escalation exploits without recompiling any code.
Overall, CherryLoader is a sophisticated malware loader that poses a significant threat to compromised hosts. Its modular design and ability to swap exploits make it difficult to detect and mitigate.