CherryLoader: The Deceptive Downloader Disguised as CherryTree App Unveiled

Researchers at Arctic Wolf have discovered a new malicious downloader, crafted in the Go language and dubbed CherryLoader. This threat, previously observed in the wild, aims to facilitate the delivery of additional malware onto compromised hosts for further exploitation.

Discovered during two recent breaches, the downloader masquerades as the legitimate CherryTree note-taking app, deceiving potential victims into installing it.

Experts have noted CherryLoader’s deployment of one of two legitimate OpenSource tools for privilege escalation—PrintSpoofer or JuicyPotatoNG—which then initiates a batch file to establish a persistent presence on the victim’s device.

Qakbot banking trojan

“Malware” by Infosec Images is licensed under CC BY 2.0

A notable innovation of CherryLoader is its modularity, allowing attackers to switch exploits without the need for code recompilation.

The method of distribution for the downloader remains unclear, but attack chain analysis revealed that CherryLoader (“cherrytree.exe”) and associated files (“NuxtSharp.Data”, “Spof.Data”, and “Juicy.Data”) are contained within a RAR archive (“Packed.rar”), hosted at the IP address “141.11.187[.]70”.

Accompanying the RAR archive, an executable file (“main.exe”) is downloaded, serving to unpack and launch the Golang binary file, which proceeds only if the first argument passed matches a hardcoded MD5 password hash.

The downloader then decrypts “NuxtSharp.Data” and writes its contents to a “File.log” file on disk, which, in turn, is designed to decode and execute “Spof.Data” as “12.log” using the “Process Ghosting” technique, first described by researchers in June 2021.

This technique’s modular design allows the attacker to use an alternative exploit in place of “Spof.Data”. In this instance, “Juicy.Data”, containing another exploit, can be replaced without recompiling “File.log”.

The process associated with “12.log” is linked to the OpenSource privilege escalation tool PrintSpoofer, while “Juicy.Data” represents another privilege escalation tool, named JuicyPotatoNG.

Successful privilege escalation is followed by the execution of the “user.bat” script batch file to establish a permanent presence on the host and disable Microsoft Defender.

The researchers concluded that CherryLoader is a new multi-stage downloader utilizing various encryption and anti-analysis methods in an attempt to employ alternative, publicly available privilege escalation exploits without the need for any code recompilation.