Security researchers have uncovered a disturbing new tactic used by threat actors to gain admin-level access to targeted systems. This threat actor deployed a sophisticated downloader called “CherryLoader” along with some privilege escalation tools from the “potato” family, successfully evading detection and causing significant damage in recent intrusions. CherryLoader is a multistage, modular loader that was written in Golang and is designed to mimic the legitimate “Cherrytree” note-taking software.
In two recent intrusions observed by analysts at Arctic Wolf, the attacker, working from an IP address in the Netherlands, used CherryLoader to drop two well-known off-the-shelf tools for gaining admin access. In the final stage of the attack, the adversary deployed a bash script to neutralize Windows security tools, effectively removing any barriers to their intrusion. What makes CherryLoader particularly dangerous is its ability to seamlessly swap payloads without needing to recompile any code.
Commenting on this feature, Arctic Wolf’s senior manager of security research, Kirk Soluk, explained that malware has become more modular over time, allowing attackers to easily shift tactics and payloads as needed. This demonstrates how threat actors are leveraging modern language and design patterns to stay one step ahead of security measures.
The intruder behind the recent attacks used CherryLoader’s modular design to deploy two publicly available privilege escalation tools: PrintSpoofer and JuicyPotatoNG. JuicyPotatoNG is a recent iteration on a long line of potato-themed privilege escalation tools, offering another way for attackers to gain system control. Meanwhile, PrintSpoofer has been popular among hackers for several years, leveraging the so-called “Printer Bug” to manipulate an Active Directory (AD) Domain Controller and gain high-level access to systems.
The CherryLoader attackers were able to use these tools to create an admin account in the targeted systems, disable security measures, and establish persistence using a batch file script called user.bat. This script was designed to evade detection and ensure continued access to the compromised systems.
Arctic Wolf declined to comment on the specific outcomes of the intrusions in this campaign, leaving many organizations concerned about the potential impact of this new wave of attacks. With threat actors constantly adapting their tactics and exploiting vulnerabilities in increasingly sophisticated ways, security experts and IT professionals are faced with the ongoing challenge of protecting sensitive systems and data from malicious actors.
This latest development underscores the need for organizations to remain vigilant and invest in comprehensive cybersecurity measures. By staying informed about emerging threats and implementing best practices for network security, businesses can reduce the risk of falling victim to malicious activities like those observed in the CherryLoader attacks. As threat actors continue to evolve their tactics, it is essential for organizations to prioritize cybersecurity and take proactive steps to safeguard their digital assets.