Threat Database Malware Cherry Picker

Cherry Picker

By GoldSparrow in Malware

Cherry Picker is a high-end PoS (Point-of-Sale) malware, which has been active for at least ten years. Malware experts first detected this nasty threat in 2011. They dissected Cherry Picker and found out that it was created in 2009, which means that it is likely that this threat has been operating uninterrupted for two years. The creators of Cherry Picker have introduced several updates over the years. The most recent one appears to be from 2015.

The malware makes use of privileges on the Windows Registry 'AppInit_DLLs,' and 'LoadAppInit_DLLs' can provide it with. This means that it can cause your applications to launch its corrupted DLL once they are fired up.

The Cherry Picker malware works with a configuration file whose path is hardcoded – this means that each sample of Cherry Picker will look for a specific filename, in a specific directory. One of the samples that malware researchers came across used a non-encrypted text file for the configuration settings – it was given the name 'graph32.dll' and placed in the 'system32' folder. It is likely that this property is changed on a case-by-case basis to make it more difficult to track Cherry Picker's movements and settings. Within the file are the username, password, and IP address of the attackers. This PoS malware can collect credit card information, which it piles in encrypted RAR files. The names of these files are also customizable. Furthermore, Cherry Picker also is programmed to wait a set amount of time before it begins collecting data from memory and to then siphon it back to the attacker's servers at a certain time.

What is most notable about Cherry Picker is also where its name is derived from. It is very likely that this PoS malware only attacks targets that it has already studied beforehand. This is indicated by Cherry Picker's 'Target Process' field, which comes to show that this piece of malware is looking for specific processes in the infiltrated system, which contain the credit card data it targets. If the specific process it seeks is not found, then Cherry Picker terminates all activity. It is speculated that due to how picky Cherry Picker is, it has managed to avoid detection for as long as it has.

Finally, as an extra step to minimize the risk of detection, Cherry Picker uses a file called 'Ccv.exe,' which deletes all traces of the PoS malware's activity. Every variant of Cherry Picker has a different file, which serves this purpose. They seek out files, paths, and Registry keys, which are leftover from the Cherry Picker activity and wipe them off. After deleting this data, it completes the space left with nonsense information like Ffs and 00s, and then clears this off too. This is done to ensure that cybersecurity experts will not be able to restore this PoS malware and study it.

This PoS malware is much more complex than most threats from this category. This is why this threat has been active for over ten years and continues to cause trouble to this day. It is crucial for businesses to follow the latest cybersecurity techniques because threats like Cherry Picker are relentless in their pursuit of cash no matter the price.


Most Viewed