HomeCII/OTCherryLoader Malware Enables Critical Privilege Escalation

CherryLoader Malware Enables Critical Privilege Escalation

Published on

spot_img

Security researchers have uncovered a disturbing new tactic used by threat actors to gain admin-level access to targeted systems. This threat actor deployed a sophisticated downloader called “CherryLoader” along with some privilege escalation tools from the “potato” family, successfully evading detection and causing significant damage in recent intrusions. CherryLoader is a multistage, modular loader that was written in Golang and is designed to mimic the legitimate “Cherrytree” note-taking software.

In two recent intrusions observed by analysts at Arctic Wolf, the attacker, working from an IP address in the Netherlands, used CherryLoader to drop two well-known off-the-shelf tools for gaining admin access. In the final stage of the attack, the adversary deployed a bash script to neutralize Windows security tools, effectively removing any barriers to their intrusion. What makes CherryLoader particularly dangerous is its ability to seamlessly swap payloads without needing to recompile any code.

Commenting on this feature, Arctic Wolf’s senior manager of security research, Kirk Soluk, explained that malware has become more modular over time, allowing attackers to easily shift tactics and payloads as needed. This demonstrates how threat actors are leveraging modern language and design patterns to stay one step ahead of security measures.

The intruder behind the recent attacks used CherryLoader’s modular design to deploy two publicly available privilege escalation tools: PrintSpoofer and JuicyPotatoNG. JuicyPotatoNG is a recent iteration on a long line of potato-themed privilege escalation tools, offering another way for attackers to gain system control. Meanwhile, PrintSpoofer has been popular among hackers for several years, leveraging the so-called “Printer Bug” to manipulate an Active Directory (AD) Domain Controller and gain high-level access to systems.

The CherryLoader attackers were able to use these tools to create an admin account in the targeted systems, disable security measures, and establish persistence using a batch file script called user.bat. This script was designed to evade detection and ensure continued access to the compromised systems.

Arctic Wolf declined to comment on the specific outcomes of the intrusions in this campaign, leaving many organizations concerned about the potential impact of this new wave of attacks. With threat actors constantly adapting their tactics and exploiting vulnerabilities in increasingly sophisticated ways, security experts and IT professionals are faced with the ongoing challenge of protecting sensitive systems and data from malicious actors.

This latest development underscores the need for organizations to remain vigilant and invest in comprehensive cybersecurity measures. By staying informed about emerging threats and implementing best practices for network security, businesses can reduce the risk of falling victim to malicious activities like those observed in the CherryLoader attacks. As threat actors continue to evolve their tactics, it is essential for organizations to prioritize cybersecurity and take proactive steps to safeguard their digital assets.

Source link

Latest articles

AI Generated Patches May Reduce Developer and Operations Workload

Large language models (LLMs) are offering a tantalizing prospect of speeding up software development...

VMware advises administrators to remove deprecated and vulnerable authentication plug-in

VMware Issued A Warning About Authentication System Vulnerability Specialists at VMware are strongly recommending administrators...

Could ransomware provider LockBit be responsible for the Lurie hack?

Following what has been described as a major breakthrough in the cyberattack against Lurie...

Free Cyber Security Training Offered to Lancashire Businesses by Lancashire Evening Post

Lancashire businesses are set to benefit from free training to help them safeguard against...

More like this

AI Generated Patches May Reduce Developer and Operations Workload

Large language models (LLMs) are offering a tantalizing prospect of speeding up software development...

VMware advises administrators to remove deprecated and vulnerable authentication plug-in

VMware Issued A Warning About Authentication System Vulnerability Specialists at VMware are strongly recommending administrators...

Could ransomware provider LockBit be responsible for the Lurie hack?

Following what has been described as a major breakthrough in the cyberattack against Lurie...
en_USEnglish