Skip to content

Hide Navigation Hide TOC

CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)

CherryBlos is an Android malware that steals credentials and redirects cryptocurrency to adversary-controlled wallets. CherryBlos was labelled Robot 999 in its first appearance in April 2023; since then, various aliases have been used, including GPTalk, Happy Miner, and SynthNet. The threat actors behind CherryBlos uploaded the malware to different Google Play regions, such as Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.(Citation: TrendMicro_CherryBlos_July2023)

Cluster A Galaxy A Cluster B Galaxy B Level
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Foreground Persistence - T1541 (648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Software Packing - T1406.002 (51636761-2e35-44bf-9e56-e337adf97174) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Process Discovery - T1424 (1b51f5bc-b97a-498a-8dbd-bc6b1901bf19) Attack Pattern 1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673) Attack Pattern 2
Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a) Attack Pattern Software Packing - T1406.002 (51636761-2e35-44bf-9e56-e337adf97174) Attack Pattern 2