A brand new Go-based malware loader known as CherryLoader has been found by risk hunters within the wild to ship further payloads onto compromised hosts for follow-on exploitation.
Arctic Wolf Labs, which found the brand new assault software in two current intrusions, stated the loader’s icon and title masquerades because the legit CherryTree note-taking utility to dupe potential victims into putting in it.
“CherryLoader was used to drop one in every of two privilege escalation instruments, PrintSpoofer or JuicyPotatoNG, which might then run a batch file to determine persistence on the sufferer machine,” researchers Hady Azzam, Christopher Prest, and Steven Campbell stated.
In one other novel twist, CherryLoader additionally packs modularized options that enable the risk actor to swap exploits with out recompiling code.
It is presently not recognized how the loader is distributed, however the assault chains examined by the cybersecurity agency present that CherryLoader (“cherrytree.exe”) and its related recordsdata (“NuxtSharp.Information,” “Spof.Information,” and “Juicy.Information”) are contained inside a RAR archive file (“Packed.rar”) hosted on the IP handle 141.11.187[.]70.
Downloaded together with the RAR file is an executable (“important.exe”) that is used to unpack and launch the Golang binary, which solely proceeds if the primary argument handed to it matches a hard-coded MD5 password hash.
The loader subsequently decrypts “NuxtSharp.Information” and writes its contents to a file named “File.log” on disk that, in flip, is designed to decode and run “Spof.Information” as “12.log” utilizing a fileless method referred to as course of ghosting that first got here to mild in June 2021.
“This system is modular in design and can enable the risk actor to leverage different exploit code rather than Spof.Information,” the researchers stated. “On this case, Juicy.Information which incorporates a unique exploit, might be swapped in place with out recompiling File.log.”
The method related to “12.log” is linked to an open-source privilege escalation software named PrintSpoofer, whereas “Juicy.Information” is one other privilege escalation software named JuicyPotatoNG.
A profitable privilege escalation is adopted by the execution of a batch file script known as “person.bat” to arrange persistence on the host, disarm Microsoft Defender, and amend firewall guidelines to facilitate distant connections.
“CherryLoader is [a] newly recognized multi-stage downloader that leverages totally different encryption strategies and different anti-analysis methods in an try to detonate various, publicly accessible privilege escalation exploits with out having to recompile any code,” the researchers concluded.