Cherry Picker

Malware Profile Updated 23 days ago
Download STIX
Preview STIX
Cherry Picker is a sophisticated form of malware designed to exploit and damage computer systems while remaining largely undetected. Its innovative approach includes the use of configuration files, encryption, obfuscation, command line arguments, and carefully chosen targets to evade security controls. The malware employs a novel memory scraping algorithm, a file infector for persistence, and a cleaner component that eliminates all evidence of infection from target systems. Additionally, Cherry Picker can encrypt Cardholder Data (CHD) before writing it to the exfiltration file, using a public key hidden in an obfuscated config. This feature, along with its ability to enumerate .rar files in the %WINDIR%\System32 directory, further enhances its stealth and effectiveness. The initial vector of compromise for Cherry Picker often involves the exploitation of weak or default passwords on remote admin tools, particularly in Point of Sale (PoS) systems. This method was likely used in the most recent forensic case involving this malware. Once installed, Cherry Picker has two different methods to maintain persistence, ensuring its continued operation even after system reboots or attempts at removal. Over time, the malware has shown consistent improvement, adapting and evolving to remain a persistent threat. In response to this threat, Yara rules have been released that are capable of detecting the installation, main malware, and cleaner components of Cherry Picker. These rules will help organizations protect their systems against this malicious software. Trustwave's malware researchers have presented detailed information about Cherry Picker and its associated malware, Searcher.dll, at the Sector conference. Furthermore, artifacts related to both these malwares have been included in a SANS course on Sniper Forensics, providing valuable insights into their operation and potential countermeasures.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Cherry Picker Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Shining the Spotlight on Cherry Picker PoS Malware