A point-of-sale (PoS) malware that went largely undetected for the past several years has been analyzed by researchers at Trustwave.
Dubbed by the security firm “Cherry Picker,” the threat has been around since at least 2011, but it managed to stay under the radar thanks to its sophisticated functionality and use in highly targeted attacks.
In 2011, Trustwave started analyzing several pieces of malware designed to inject processes with cardholder data. One of these toolsets consisted of two components: sr.exe, which is a command line interface, and searcher.dll, which got injected into targeted processes by sr.exe.
This toolset was often found on infected systems alongside other threats, such as a PoS malware created using the AutoIt scripting language, and Rdasrv, one of the earliest PoS RAM scrapers.
Another threat seen on systems infected with searcher.dll is Cherry Picker, which has managed to stay under the radar. Trustwave reported spotting three versions of the malware, each with slight functionality improvements compared to the previous version.
According to researchers, Cherry Picker relies on a new memory scraping algorithm, it uses a file infector for persistence, and it comes with a cleaner component that removes all traces of the infection from the system.
While in some cases the PoS malware created a registry entry for persistence, in more recent instances experts discovered an updated version of sr.exe, srf.exe, which has been used to install the malware and inject a DLL into processes.
In basketball, a cherry picker is a player who doesn’t play defense with the rest of the team and instead sits near the opponent’s basket waiting for a pass after a change of possession, enabling them to score easily. Just like a cherry picker in basketball, the Cherry Picker malware doesn’t target all processes and instead focuses on one process that is known to contain card data.
The threat’s configuration file specifies which process should be injected, and if that process is not found, the malware exits. This indicates that the attacker has already conducted reconnaissance on the system to determine which process should be targeted.
The latest version of the PoS malware relies on an API called QueryWorkingSet to scrape the memory. The harvested data is then written into a file and sent to the attacker’s server.
Once the data is exfiltrated, the cleaning process begins. The malware developers created a targeted cleaner tool designed to restore the infected system to a clean state. The threat relies on the popular remote control software TeamViewer to overwrite and remove files, logs and registry entries.
“Cherry Picker’s use of configuration files, encryption, obfuscation, and command line arguments have allowed the malware to remain under the radar of many security companies and AV’s,” Trustwave researchers said. “The introduction of new way to parse memory and find CHD, a sophisticated file infector, and a targeted cleaner program have allowed this malware family to go largely unnoticed in the security community.”
Trustwave says it’s currently investigating a Cherry Picker attack targeting a company in the food and beverage industry, but the security firm warns that any business using PoS applications is at risk.
Additional technical details on Cherry Picker are available in a blog post from Trustwave.
Related Reading: Andromeda Botnet Used to Deliver New GamaPoS Malware
Related Reading: MalumPOS Malware Targets Oracle Micros PoS Systems

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- CISA, NSA Issue Guidance for IAM Administrators
- Analysis: SEC Cybersecurity Proposals and Biden’s National Cybersecurity Strategy
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Cisco Patches High-Severity Vulnerabilities in IOS Software
- ‘Nexus’ Android Trojan Targets 450 Financial Applications
- Tackling the Challenge of Actionable Intelligence Through Context
- Dole Says Employee Information Compromised in Ransomware Attack
- Backslash Snags $8M Seed Financing for AppSec Tech
