Skip to content

Hide Navigation Hide TOC

CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)

CherryBlos is an Android malware that steals credentials and redirects cryptocurrency to adversary-controlled wallets. CherryBlos was labelled Robot 999 in its first appearance in April 2023; since then, various aliases have been used, including GPTalk, Happy Miner, and SynthNet. The threat actors behind CherryBlos uploaded the malware to different Google Play regions, such as Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.(Citation: TrendMicro_CherryBlos_July2023)

Cluster A Galaxy A Cluster B Galaxy B Level
Software Packing - T1406.002 (51636761-2e35-44bf-9e56-e337adf97174) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
Process Discovery - T1424 (1b51f5bc-b97a-498a-8dbd-bc6b1901bf19) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
Foreground Persistence - T1541 (648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a) Attack Pattern Software Packing - T1406.002 (51636761-2e35-44bf-9e56-e337adf97174) Attack Pattern 2
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673) Attack Pattern Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern 2