Arctic Wolf Labs uncovered CherryLoader, a Go-based loader masquerading as CherryTree used in intrusions to swap exploits without recompiling. It decrypts payloads, drops privilege-escalation tools (PrintSpoofer and JuicyPotatoNG), and relies on process ghosting to escalate privileges and establish persistence. #CherryLoader #CherryTree #PrintSpoofer #JuicyPotatoNG #NuxtSharp #SpofData #JuicyData
Keypoints
- The threat group used a new Go-based loader called “CherryLoader” in recent intrusions.
- CherryLoader’s design is modular, enabling exploit swaps without recompiling code.
- It drops two publicly available privilege-escalation tools: PrintSpoofer and JuicyPotatoNG.
- The attack chain leverages process ghosting to elevate privileges and establish persistence.
- Initial delivery involved downloading from IP 141.11.187[.]70 (Packed.rar and main.exe) containing cherrytree.exe and data files.
- The loader decrypts NuxtSharp.Data with XOR, then decrypts Spof.Data and Juicy.Data (AES) and uses CreateFileW/CreateProcessW to execute and hide traces.
MITRE Techniques
- [T1036] Masquerading – The loader’s icon and name masqueraded as the legitimate CherryTree note taking application to trick the victims. ‘The loader’s icon and name masqueraded as the legitimate CherryTree note taking application to trick the victims.’
- [T1105] Ingress Tool Transfer – Two files were downloaded from that IP, a password protected rar file (Packed.rar) and an executable (main.exe) used to unpack Packed.rar. ‘Two files were downloaded from that IP, a password protected rar file (Packed.rar) and an executable (main.exe) used to unpack Packed.rar.’
- [T1027] Obfuscated/Decoded Files and Information – The binary decrypts NuxtSharp.Data via XOR and decrypts with a simple algorithm. ‘The file is then decrypted with a simple XOR algorithm.’
- [T1059.003] Windows Command Shell – The threat executes commands via the command line, including the invocation ‘Cherrytree.exe 405060EEw@! NuxtSharp.Data Spof.Data’ and later ‘cmd.exe /c File.log Spof.Data 123 12.log’. ‘cmd.exe /c File.log Spof.Data 123 12.log’
- [T1055.012] Process Injection – The code creates a new thread of execution using NtCreateThreadEx to start the execution of the 12.log process. ‘Finally, it creates a new thread of execution … NtCreateThreadEx to start the execution of the 12.log process.’
- [T1562.001] Impair Defenses – The batch process whitelists Microsoft Defender and disables Defender components. ‘Whitelist the exe process in Microsoft Defender’ and ‘Disable Microsoft defender AntiSpyware (Effectively disabling Windows Defender)’.
- [T1136] Create Account – The batch script creates an administrator account named Administrater to maintain access. ‘First it creates an administrator account with a misspelled username Administrater and the password 102030TTYG@’
- [T1021] Remote Services – The attackers enable remote connections and firewall rules to allow RDP on port 3389. ‘Enable remote connections and add firewall rules to allow RDP connections on port 3389’
- [T1070.004] Indicator Removal on Host – The loader deletes evidence in the TEMP directory after use. ‘DeleteFileW and RemoveDirectoryW to delete any evidence in the %TEMP% directory.’
- [T1564] Hide Artifacts – Process ghosting is used to achieve a fileless execution and map payloads into memory. ‘Process ghosting (fileless technique)’
Indicators of Compromise
- [IP Address] IP used to download Packed.rar and main.exe – 141.11.187[.]70
- [SHA256] main.exe – 50f7f8a8d1bd904ad7430226782d35d649e655974e848ff58d80eafedd377ee9
- [SHA256] Packed.rar – f9373383d2a1cea0179d016b4496475d44262945ab5fb6ff28cd156187c6ff6a
- [SHA256] cherrytree.exe/CherryLoader – 8c42321dd19bf4c8d2ef11885664e79b0064194e3222d73f00f4a1d67672f7fc
- [SHA256] File.log (Decrypted payload) – e0f53fb3651caf5eb3b30603064d527b9ac9243f8e682e4367616484ec708976
- [Filename] File.log – Used as the decrypted/loaded payload during execution
- [Filename] 12.log – Created during the process ghosting sequence to run the final payload