Related Families: Pandora
Sentinel One recently reported on CatB ransomware. CatB, also known as CatB99 or Baxtoy, was first seen in the wild in late 2022.
- CatB, also known as CatB99 or Baxtoy, was first seen in the wild in late 2022.
- The threat actors use DLL hijacking via MSDTC to extract and launch payloads.
- In addition to encrypting files, CatB steals information, including browser session data, credentials, and other data.
What is CatB?
Sentinel One recently reported on CatB ransomware. CatB, also known as CatB99 or Baxtoy, was first seen in the wild in late 2022. The threat actors use DLL hijacking via MSDTC to extract and launch payloads.
CatB has a set of two DLLs - a dropper DLL that performs evasive environmental checks, then drops and launches the second DLL, and a second DLL, which is the ransomware payload.
CatB performs three evasive checks to determine whether the payload is being executed in a virtual environment. These check for the type and size of physical RAM, the type and size of hard disks, and the presence of any odd combinations of processors and cores.
CatB uses DLL search order hijacking to drop the malicious payload, which is dropped into the System32 directory. At this point, CatB abuses MSDTC to manipulate permissions and startup parameters. The malicious DLL is injected into msdtc.exe when the service is restarted.
While CatB’s purpose is to encrypt victim files, it excludes files with the .msi, .dll, .sys, and .iso extensions, as well as NTUSER.DAT. CatB encrypts files on drives C:\ - I:\. Unlike most ransomware, CatB does not create post-encryption alterations. Post-encryption, there is no obvious indicator such as a ransom note, changed wallpaper, or appended file extensions. The “ransom note” is inserted into the beginning of each file.
The ransom instructions direct the victim to contact the threat actor’s protonmail address and provide a key file that is found in c:\users\public\ on infected machines. A Bitcoin address is provided for payment. The threat actors increase the ransom demand every day for five days. If the ransom is not paid at the end of the fifth day, the threat actors threaten permanent data loss.
In addition to encrypting files, CatB steals information, including browser session data, bookmarks, blocklists, crash logs, history, user profile data, autofill data, and credentials. It currently targets Firefox, Chrome, Edge, and Internet Explorer browsers.
While the threat actors responsible for CatB have not been identified, Sentinel One researchers noted similarities between CatB and Pandora ransomware and assessed CatB may be an evolution of or rebrand of Pandora. Pandora was active in mid-2022 and primarily targeted the automotive industry.
PolySwarm has multiple samples of CatB.
You can use the following CLI command to search for all CatB samples in our portal:
$ polyswarm link list -f CatB
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports