Cherry Picker is a sophisticated form of malware designed to exploit and damage computer systems while remaining largely undetected. Its innovative approach includes the use of configuration files, encryption, obfuscation, command line arguments, and carefully chosen targets to evade security controls. The malware employs a novel memory scraping algorithm, a file infector for persistence, and a cleaner component that eliminates all evidence of infection from target systems. Additionally, Cherry Picker can encrypt Cardholder Data (CHD) before writing it to the exfiltration file, using a public key hidden in an obfuscated config. This feature, along with its ability to enumerate .rar files in the %WINDIR%\System32 directory, further enhances its stealth and effectiveness.
The initial vector of compromise for Cherry Picker often involves the exploitation of weak or default passwords on remote admin tools, particularly in Point of Sale (PoS) systems. This method was likely used in the most recent forensic case involving this malware. Once installed, Cherry Picker has two different methods to maintain persistence, ensuring its continued operation even after system reboots or attempts at removal. Over time, the malware has shown consistent improvement, adapting and evolving to remain a persistent threat.
In response to this threat, Yara rules have been released that are capable of detecting the installation, main malware, and cleaner components of Cherry Picker. These rules will help organizations protect their systems against this malicious software. Trustwave's malware researchers have presented detailed information about Cherry Picker and its associated malware, Searcher.dll, at the Sector conference. Furthermore, artifacts related to both these malwares have been included in a SANS course on Sniper Forensics, providing valuable insights into their operation and potential countermeasures.