CatB | |
Type of Malware | Ransomware |
Country of Origin | China |
Targeted Countries | India |
Date of Initial Activity | 2022 |
Addittional Names | CatB99 |
Associated Groups | ChamelGang |
Motivation | Espionage |
Attack Vectors | Supply Chain |
Targeted Systems | Windows |
Overview
The CatB ransomware family, which first emerged in late 2022, has quickly made a name for itself in the world of cyber threats. Also known by aliases such as CatB99 and Baxtoy, this ransomware variant has garnered significant attention due to its sophisticated methods and unique operational characteristics. Unlike many ransomware strains that rely on traditional encryption tactics and straightforward ransom demands, CatB employs a distinctive approach involving DLL hijacking through the Microsoft Distributed Transaction Coordinator (MSDTC) service. This innovative technique not only enhances its ability to evade detection but also complicates the remediation process for affected organizations.
CatB ransomware’s technical execution involves a two-step DLL mechanism that begins with a dropper DLL responsible for initial checks and payload deployment. This dropper DLL, often packed using UPX, ensures that the primary ransomware payload is delivered while evading sandbox environments designed to analyze and neutralize threats. The use of DLL search order hijacking and MSDTC service manipulation marks a significant evolution in ransomware deployment tactics, highlighting the advanced strategies employed by its operators.
In addition to its evasion techniques, CatB ransomware stands out for its encryption behavior. The malware is designed to encrypt a wide range of files across multiple disk volumes while excluding certain critical system files and extensions to avoid system instability and detection. Uniquely, CatB appends its ransom note directly to the beginning of encrypted files rather than creating separate ransom note files or altering system settings, further complicating detection efforts.
Targets
- Information
- Public Administration
- Manufacturing
- Health Care and Social Assistance
- Retail Trade
- Accommodation and Food Services
How they operate
The CatB ransomware deploys its payload through a two-stage DLL (Dynamic-Link Library) process. Initially, a dropper DLL, typically UPX-packed, is introduced into the target environment. This dropper performs environmental checks to evade detection, assessing factors such as RAM size, disk type, and processor configurations to distinguish between real and virtual environments. This initial stage ensures that the ransomware operates in a suitable environment, avoiding premature detection in sandboxed or virtualized settings. Once these checks are completed, the dropper DLL deposits a second, malicious DLL payload onto the system.
The core functionality of CatB is driven by its second-stage DLL, which leverages DLL search order hijacking. This technique involves placing the malicious payload (oci.dll) into the System32 directory, where it will be loaded by legitimate system processes. CatB abuses the MSDTC service to further its objectives. By manipulating the MSDTC service’s permissions and startup parameters, the ransomware ensures that its payload is injected into the service’s executable (msdtc.exe) upon service restart. This maneuver effectively hides the malicious DLL within a legitimate system process, complicating detection efforts.
In terms of encryption, CatB targets a broad range of file types and directories. The ransomware avoids encrypting certain file extensions and system files, such as .msi, .dll, and .sys, to prevent system instability and facilitate its operation. The malware primarily encrypts user files across multiple disk volumes, appending a ransom note to the beginning of each encrypted file rather than employing more conspicuous indicators like desktop wallpaper changes or file extension alterations. This subtle approach aims to avoid triggering alarms from traditional detection systems that focus on more obvious ransom indicators.
CatB’s operational strategy extends beyond file encryption; it includes a robust mechanism for data exfiltration. The ransomware extracts sensitive information from various browsers, including Mozilla Firefox, Google Chrome, Microsoft Edge, and Internet Explorer. It targets browser profiles, autofill data, session keys, and other sensitive details to maximize the impact of its attack. Additionally, CatB seeks to extract data from Windows Mail profiles, further broadening its scope of information theft.
The ransom demands are uniquely handled by CatB. Instead of using multiple Bitcoin addresses for individual victims, the ransomware employs a single address for payments, which simplifies the payment process but might also indicate a lack of sophistication in victim management. The ransom note, appended to encrypted files, instructs victims to contact the attackers via a ProtonMail address and includes a Bitcoin payment address. Notably, the ransom increases daily over a five-day period, with a threat of permanent data loss if demands are not met.
MITRE Tactics and Techniques
T1071.001 – Application Layer Protocol: Web Protocols
CatB utilizes HTTP or similar protocols to communicate with its command and control (C2) servers. This technique allows the ransomware to exfiltrate data and receive commands in a manner that blends with legitimate web traffic.
T1036 – Masquerading
The malware uses DLL hijacking to evade detection. By exploiting the Microsoft Distributed Transaction Coordinator (MSDTC) service, CatB disguises its malicious payload as a legitimate system file, making it harder for security solutions to identify and block the threat.
T1059.001 – Command and Scripting Interpreter: PowerShell
The dropper component of CatB may use PowerShell or similar scripting interpreters to execute commands and deploy the ransomware payload, leveraging scripting capabilities to perform operations without direct user interaction.
T1047 – Windows Management Instrumentation
CatB may interact with Windows Management Instrumentation (WMI) to gather system information or execute commands. This can help the ransomware tailor its activities based on the system environment.
T1069 – Permission Groups Discovery
The ransomware may assess system permissions and user roles to ensure it has sufficient privileges to execute its payload and encrypt files effectively. This information helps CatB avoid disrupting critical system processes and focus on user files.
T1070.004 – Indicator Removal on Host: File Deletion
After executing its payload, CatB may delete logs or other artifacts to avoid detection and hinder forensic analysis. This technique helps maintain a low profile and extend the malware’s operational lifespan.
T1486 – Data Encrypted for Impact
CatB encrypts files on the infected system, making them inaccessible to the user. This technique is the core functionality of the ransomware, aimed at demanding ransom payments from victims to restore access to their data.
T1040 – Network Sniffing
While not the primary function of CatB, the ransomware may use network sniffing to capture sensitive information or credentials during its operation. This capability complements its data theft and exfiltration efforts.