A point-of-sale (PoS) malware that went largely undetected for the past several years has been analyzed by researchers at Trustwave.
Dubbed by the security firm “Cherry Picker,” the threat has been around since at least 2011, but it managed to stay under the radar thanks to its sophisticated functionality and use in highly targeted attacks.
In 2011, Trustwave started analyzing several pieces of malware designed to inject processes with cardholder data. One of these toolsets consisted of two components: sr.exe, which is a command line interface, and searcher.dll, which got injected into targeted processes by sr.exe.
This toolset was often found on infected systems alongside other threats, such as a PoS malware created using the AutoIt scripting language, and Rdasrv, one of the earliest PoS RAM scrapers.
Another threat seen on systems infected with searcher.dll is Cherry Picker, which has managed to stay under the radar. Trustwave reported spotting three versions of the malware, each with slight functionality improvements compared to the previous version.
According to researchers, Cherry Picker relies on a new memory scraping algorithm, it uses a file infector for persistence, and it comes with a cleaner component that removes all traces of the infection from the system.
While in some cases the PoS malware created a registry entry for persistence, in more recent instances experts discovered an updated version of sr.exe, srf.exe, which has been used to install the malware and inject a DLL into processes.
In basketball, a cherry picker is a player who doesn’t play defense with the rest of the team and instead sits near the opponent’s basket waiting for a pass after a change of possession, enabling them to score easily. Just like a cherry picker in basketball, the Cherry Picker malware doesn’t target all processes and instead focuses on one process that is known to contain card data.
The threat’s configuration file specifies which process should be injected, and if that process is not found, the malware exits. This indicates that the attacker has already conducted reconnaissance on the system to determine which process should be targeted.
The latest version of the PoS malware relies on an API called QueryWorkingSet to scrape the memory. The harvested data is then written into a file and sent to the attacker’s server.
Once the data is exfiltrated, the cleaning process begins. The malware developers created a targeted cleaner tool designed to restore the infected system to a clean state. The threat relies on the popular remote control software TeamViewer to overwrite and remove files, logs and registry entries.
“Cherry Picker’s use of configuration files, encryption, obfuscation, and command line arguments have allowed the malware to remain under the radar of many security companies and AV’s,” Trustwave researchers said. “The introduction of new way to parse memory and find CHD, a sophisticated file infector, and a targeted cleaner program have allowed this malware family to go largely unnoticed in the security community.”
Trustwave says it’s currently investigating a Cherry Picker attack targeting a company in the food and beverage industry, but the security firm warns that any business using PoS applications is at risk.
Additional technical details on Cherry Picker are available in a blog post from Trustwave.
Related Reading: Andromeda Botnet Used to Deliver New GamaPoS Malware
Related Reading: MalumPOS Malware Targets Oracle Micros PoS Systems

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
Latest News
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
