Cherry Picker

Cherry Picker is a Point-of-Sale (PoS) memory scraper malware first identified from Trustwave analysts in 2011, and went largely undetected for several years prior. It is typically found on systems also infected with the “searcher.dll” downloader. At the time of detection, researchers found three versions of the malware, each more improved than the previous. It uses a memory scraping algorithm, a file infector for persistence, and a cleaner that removes the evidence of the infection from the targeted system. Instead of targeting all processes, Cherry Picker focuses on one process that contains card data. The configuration file searches the targeted system for the processes and, if it is not present, it exits. If the process is present, the malware uses an API to scrape the memory, writes the memory content to a file, and sends it to the attacker’s server. Once the information is exfiltrated, Cherry Picker uses its embedded cleaning tool to return the system to a clean state. It uses the TeamViewer software to overwrite and remove files, logs, and registry entries. The malware uses a combination of command line arguments, configuration files, and obfuscation in an effort to operate undetected by security software.


  • November 2015: “Cherry Picker” PoS Malware Cleans Up After Itself. (SecurityWeek)
  • December 2016: Analysis of Cherry Picker POS Malware (De)Obfuscation. (Nuix)

Technical Details

  • Researchers at Trustwave provide technical details on Cherry Picker, here.