Skip to content

Hide Navigation Hide TOC

CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)

CherryBlos is an Android malware that steals credentials and redirects cryptocurrency to adversary-controlled wallets. CherryBlos was labelled Robot 999 in its first appearance in April 2023; since then, various aliases have been used, including GPTalk, Happy Miner, and SynthNet. The threat actors behind CherryBlos uploaded the malware to different Google Play regions, such as Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.(Citation: TrendMicro_CherryBlos_July2023)

Cluster A Galaxy A Cluster B Galaxy B Level
Foreground Persistence - T1541 (648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Software Packing - T1406.002 (51636761-2e35-44bf-9e56-e337adf97174) Attack Pattern 1
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Process Discovery - T1424 (1b51f5bc-b97a-498a-8dbd-bc6b1901bf19) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a) Attack Pattern 1
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673) Attack Pattern Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern 2
Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a) Attack Pattern Software Packing - T1406.002 (51636761-2e35-44bf-9e56-e337adf97174) Attack Pattern 2