A brand new Go-based malware loader referred to as CherryLoader has been found by risk hunters within the wild to ship extra payloads onto compromised hosts for follow-on exploitation.
Arctic Wolf Labs, which found the brand new assault software in two current intrusions, mentioned the loader’s icon and title masquerades because the respectable CherryTree note-taking utility to dupe potential victims into putting in it.
“CherryLoader was used to drop considered one of two privilege escalation instruments, PrintSpoofer or JuicyPotatoNG, which might then run a batch file to ascertain persistence on the sufferer machine,” researchers Hady Azzam, Christopher Prest, and Steven Campbell mentioned.
In one other novel twist, CherryLoader additionally packs modularized options that permit the risk actor to swap exploits with out recompiling code.
It is at the moment not identified how the loader is distributed, however the assault chains examined by the cybersecurity agency present that CherryLoader (“cherrytree.exe”) and its related recordsdata (“NuxtSharp.Information,”https://thehackernews.com/2024/01/”Spof.Information,” and “Juicy.Information”) are contained inside a RAR archive file (“Packed.rar”) hosted on the IP tackle 141.11.187[.]70.
Downloaded together with the RAR file is an executable (“foremost.exe”) that is used to unpack and launch the Golang binary, which solely proceeds if the primary argument handed to it matches a hard-coded MD5 password hash.
The loader subsequently decrypts “NuxtSharp.Information” and writes its contents to a file named “File.log” on disk that, in flip, is designed to decode and run “Spof.Information” as “12.log” utilizing a fileless approach generally known as course of ghosting that first got here to mild in June 2021.
“This method is modular in design and can permit the risk actor to leverage different exploit code instead of Spof.Information,” the researchers mentioned. “On this case, Juicy.Information which comprises a special exploit, could be swapped in place with out recompiling File.log.”
The method related to “12.log” is linked to an open-source privilege escalation software named PrintSpoofer, whereas “Juicy.Information” is one other privilege escalation software named JuicyPotatoNG.
A profitable privilege escalation is adopted by the execution of a batch file script referred to as “person.bat” to arrange persistence on the host and disarm Microsoft Defender.
“CherryLoader is [a] newly recognized multi-stage downloader that leverages totally different encryption strategies and different anti-analysis methods in an try and detonate various, publicly out there privilege escalation exploits with out having to recompile any code,” the researchers concluded.