'CherryLoader' Malware Allows Serious Privilege Execution

A sporty, modular downloader allows hackers to cherry-pick their exploits — in this case, two powerful tools for gaining admin access in a Windows system.

2 Min Read
A closeup of a bunch of cherries
Source: kevers via Alamy Stock Photo

It's the pits for admins: Researchers have discovered a threat actor achieving admin-level access on targeted systems by deploying a new, sophisticated downloader and a couple of privilege escalation tools from the "potato" family.

"CherryLoader" is a multistage, modular loader written in Golang, which with its name and logo attempts to masquerade as the legitimate "Cherrytree" note-taking software.

In two recent intrusions observed by analysts at Arctic Wolf, an attacker working from an IP in the Netherlands used CherryLoader to drop two notable off-the-shelf tools for gaining admin access. Finally, at the end of the attack chain, the adversary deployed a bash script in order to take Windows security tools out of the picture.

However, CherryLoader's niftiest feature is its ability to seamlessly swap payloads without having to recompile any code.

"The ability to swap payloads in this case is an artifact of the modular design of the malware," Arctic Wolf’s senior manager of security research Kirk Soluk explains. "Generally speaking, malware, whether it be a downloader, botnet, RAT, etc., has become more modular and less monolithic over time, so here we have an author using a more modern language [Go] and following a common design pattern."

CherryLoader's Bowl of Malware

As mentioned, the attacker behind the two recent intrusions used CherryLoader's modular flexibility to deploy two publicly available privilege escalation tools: PrintSpoofer and JuicyPotatoNG.

The latter is a recent iteration on a long line of potato-themed privilege escalation tools (the original Juicy Potato, BadPotato), as evidenced in its uninspiring sales pitch: "another Windows local privilege escalation [tool] from service account to system."

The former is a popular tool, with 323 forks since its release more than three years ago. It, too, according to its author, follows from the potato lineage of Windows privilege escalators. It separates itself by taking advantage of the so-called "Printer Bug," a means of manipulating an Active Directory (AD) Domain Controller to connect back to a system configured with "unconstrained delegation." Unconstrained delegation is a highly permissive AD configuration that opens the door to impersonation within the system.

The hackers behind CherryLoader used these tools to gain high-level access in targeted systems, at which point they dropped user.bat, a batch file script which performs a series of persistence and anti-analysis functions. Among other things, it creates an admin account in the system, whitelists and excludes executable files in Windows Defender and Microsoft Defender, respectively, disables Microsoft defender AntiSpyware, and amends firewall rules to enable remote connections.

Arctic Wolf declined to comment on the outcome of either intrusion in this campaign.

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights