Researchers at Arctic Wolf Labs have uncovered a new malware loader called CherryLoader that poses a significant threat to compromised hosts by delivering additional payloads for follow-on exploitation. The threat hunters discovered this Go-based attack tool in two recent intrusions, revealing its sophisticated tactics.

CherryLoader employs deceptive techniques to dupe potential victims into installing it. It masquerades as the legitimate CherryTree note-taking application, using a similar icon and name. This clever disguise increases the chances of successful installation and compromise.

The researchers at Arctic Wolf Labs observed that CherryLoader was employed to drop one of two privilege escalation tools, namely PrintSpoofer or JuicyPotatoNG. These malicious tools would then execute a batch file, ensuring persistence on the victim's device. The modularized features of CherryLoader enable the threat actor to swap exploits effortlessly without the need to recompile any code, significantly enhancing their ability to evade detection.

The exact method of CherryLoader's distribution remains unknown; however, the cybersecurity firm examined attack chains that revealed the presence of CherryLoader's files, including "cherrytree.exe," "NuxtSharp. Data," "Spof.Data," and "Juicy. Data," contained within a RAR archive file named "Packed.rar." This archive file was found to be hosted on the IP address 141.11.187[.]70.

Once downloaded, CherryLoader uses an executable called "main.exe" to unpack and launch the Golang binary. The execution proceeds only if the first argument passed matches a hard-coded MD5 password hash. Subsequently, the loader decrypts "NuxtSharp. Data" and writes its contents to a file named "File.log" on the disk. Here, a fileless technique known as process ghosting, first discovered in June 2021, is employed to decode and run "Spof. Data" as "12.log." The modular design of this technique allows the threat actor to easily swap "Spof. Data" with "Juicy. Data" to employ a different exploit, without the need to recompile "File.log."

The associated processes, "12.log," are linked to two different open-source privilege escalation tools. The first tool is named PrintSpoofer, while the second is JuicyPotatoNG, both known for their capabilities in exploiting vulnerabilities.

The researchers concluded that CherryLoader is a newly identified multi-stage downloader that deploys various encryption methods and anti-analysis techniques. Its aim is to leverage publicly available privilege escalation exploits, reducing the need to recompile any code, and increasing the complexity of detection.

As the threat landscape continues to evolve, it is crucial for organizations to stay informed about emerging threats like CherryLoader. They should implement robust security measures, educate employees about the risks, and regularly update their security systems to protect against such advanced malware.