Skip to content

Hide Navigation Hide TOC

CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)

CherryBlos is an Android malware that steals credentials and redirects cryptocurrency to adversary-controlled wallets. CherryBlos was labelled Robot 999 in its first appearance in April 2023; since then, various aliases have been used, including GPTalk, Happy Miner, and SynthNet. The threat actors behind CherryBlos uploaded the malware to different Google Play regions, such as Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.(Citation: TrendMicro_CherryBlos_July2023)

Cluster A Galaxy A Cluster B Galaxy B Level
Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848) Attack Pattern 1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern 1
Software Packing - T1406.002 (51636761-2e35-44bf-9e56-e337adf97174) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
Process Discovery - T1424 (1b51f5bc-b97a-498a-8dbd-bc6b1901bf19) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Foreground Persistence - T1541 (648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern 1
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673) Attack Pattern Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern 2
Software Packing - T1406.002 (51636761-2e35-44bf-9e56-e337adf97174) Attack Pattern Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a) Attack Pattern 2