Insights, news, education and announcements from PolySwarm

CatB Ransomware

Written by The Hivemind | Mar 28, 2023 7:49:33 PM

Related Families: Pandora

Executive Summary

Sentinel One recently reported on CatB ransomware. CatB, also known as CatB99 or Baxtoy, was first seen in the wild in late 2022.
Key Takeaways

  • CatB, also known as CatB99 or Baxtoy, was first seen in the wild in late 2022.
  • The threat actors use DLL hijacking via MSDTC to extract and launch payloads. 
  • In addition to encrypting files, CatB steals information, including browser session data, credentials, and other data. 

What is CatB?

Sentinel One recently reported on CatB ransomware. CatB, also known as CatB99 or Baxtoy, was first seen in the wild in late 2022. The threat actors use DLL hijacking via MSDTC to extract and launch payloads.

CatB has a set of two DLLs - a dropper DLL that performs evasive environmental checks, then drops and launches the second DLL, and a second DLL, which is the ransomware payload.

CatB performs three evasive checks to determine whether the payload is being executed in a virtual environment. These check for the type and size of physical RAM, the type and size of hard disks, and the presence of any odd combinations of processors and cores.

CatB uses DLL search order hijacking to drop the malicious payload, which is dropped into the System32 directory. At this point, CatB abuses MSDTC to manipulate permissions and startup parameters. The malicious DLL is injected into msdtc.exe when the service is restarted.

While CatB’s purpose is to encrypt victim files, it excludes files with the .msi, .dll, .sys, and .iso extensions, as well as NTUSER.DAT. CatB encrypts files on drives C:\ - I:\. Unlike most ransomware, CatB does not create post-encryption alterations. Post-encryption, there is no obvious indicator such as a ransom note, changed wallpaper, or appended file extensions. The “ransom note” is inserted into the beginning of each file.

The ransom instructions direct the victim to contact the threat actor’s protonmail address and provide a key file that is found in c:\users\public\ on infected machines. A Bitcoin address is provided for payment. The threat actors increase the ransom demand every day for five days. If the ransom is not paid at the end of the fifth day, the threat actors threaten permanent data loss.

In addition to encrypting files, CatB steals information, including browser session data, bookmarks, blocklists, crash logs, history, user profile data, autofill data, and credentials. It currently targets Firefox, Chrome, Edge, and Internet Explorer browsers.

While the threat actors responsible for CatB have not been identified, Sentinel One researchers noted similarities between CatB and Pandora ransomware and assessed CatB may be an evolution of or rebrand of Pandora. Pandora was active in mid-2022 and primarily targeted the automotive industry.

IOCs


PolySwarm has multiple samples of CatB.


35a273df61f4506cdb286ecc40415efaa5797379b16d44c240e3ca44714f945b
512587a73cd03c6324ade468689510472c6b9e54074f3cf115aa54393b14f037
83129ed45151a706dff8f4e7a3b0736557f7284769016c2fb00018d0d3932cfa

 

You can use the following CLI command to search for all CatB samples in our portal:

$ polyswarm link list -f CatB


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports