A cybersecurity company's research team has identified threat actors using a new Go-based malware downloader in two recent attacks.
Arctic Wolf Labs calls it “CherryLoader”. This allows attackers to share exploits without recompiling the code. The loader's icon and name were disguised as the note-taking application CherryTree to deceive victims. The attacks examined used CherryLoader to install PrintSpoofer or JuicyPotatoNG. Both are access escalation tools that run a batch file after installation. This allows the attackers to remain on the victim's device.
The most important findings
- Arctic wolf has observed the use of a new Go-based loader – called “CherryLoader” – in current attacks.
- The loader contains modular functions, which allow attackers to share exploits without having to recompile the code.
- The “CherryLoader” uses two publicly available privilege escalation exploits.
- CherryLoader's attack chain uses process ghosting and allows threat actors to increase their access rights and thus persist on victims' computers.
About Arctic Wolf Arctic Wolf is a global leader in security operations, providing the first cloud-native security operations platform to mitigate cyber risk. Based on threat telemetry spanning endpoint, network and cloud sources, the Arctic Wolf® Security Operations Cloud analyzes more than 1,6 trillion security events per week worldwide. It provides company-critical insights into almost all security use cases and optimizes customers' heterogeneous security solutions. The Arctic Wolf platform is used by more than 2.000 customers worldwide. It provides automated threat detection and response, enabling organizations of all sizes to set up world-class security operations at the push of a button.