CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)

CherryBlos is an Android malware that steals credentials and redirects cryptocurrency to adversary-controlled wallets. CherryBlos was labelled Robot 999 in its first appearance in April 2023; since then, various aliases have been used, including GPTalk, Happy Miner, and SynthNet. The threat actors behind CherryBlos uploaded the malware to different Google Play regions, such as Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.(Citation: TrendMicro_CherryBlos_July2023)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)	Malware	File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848)	Attack Pattern	1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)	Malware	1
Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8)	Attack Pattern	CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)	Malware	1
Software Packing - T1406.002 (51636761-2e35-44bf-9e56-e337adf97174)	Attack Pattern	CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)	Malware	1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)	Malware	Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)	Malware	Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)	Malware	Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)	Malware	Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df)	Attack Pattern	1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)	Malware	1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)	Malware	Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a)	Attack Pattern	1
Process Discovery - T1424 (1b51f5bc-b97a-498a-8dbd-bc6b1901bf19)	Attack Pattern	CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)	Malware	1
Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)	Malware	1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)	Malware	Foreground Persistence - T1541 (648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e)	Attack Pattern	1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	2
Software Packing - T1406.002 (51636761-2e35-44bf-9e56-e337adf97174)	Attack Pattern	Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a)	Attack Pattern	2