5/30/2023 0 Comments Wallpaper wizard 101Data extracted from browsers includes bookmarks, blocklists, crash logs, history, user profile data, autofill data, environmental settings, browser session keys, and more.ĬatB malware will also attempt to locate and extract sensitive information from Windows Mail profile data ( \AppData\Local\Microsoft\Windows Mail\). The ransomware contains functionality to discover and extract user data from Mozilla Firefox, Google Chrome, Microsoft Edge as well as Internet Explorer. This includes browser session and credential data. In addition to file encryption and obfuscation, the CatB malware will attempt to gather specific, sensitive information from targeted systems. This file must be included in email correspondence with the attackers as it is, ideally, a unique identifier for each victim or host.Įxample CatB ‘key’ file Credential and Browser Data Theft Generation of unique key fileĪ key file is deposited onto each infected host in c:\users\public\. The ransom price is set to increase each day for five days and, following the fifth day, there will be “permanent data loss” if the victim does not comply.īased on observations, there is no evidence to indicate that CatB operators are generating payment wallets for each victim as the Bitcoin address provided is not unique to each sample. Beyond that, a single Bitcoin (BTC) address is provided for payment submissions. Per the ransom note, the only way to engage the threat actor is via email at the provided catB9991 protonmail address. Ransom note appended to head of encrypted file (catb991 variation) Instead, what could be considered the ransom note is inserted into the beginning of each encrypted file. Once encrypted, there is no blatant indicator – no separate ransom note dropped, no change to the desktop wallpaper, and no antagonizing file extensions. The lack of post-encryption alterations is a trait that sets CatB apart from other contemporaries. ![]() By default, the oci.dll payload will attempt to encrypt C:\users (crawl whole tree), I:, H:, G:, F:, E:, and D. ![]() In addition to the hardcoded exclusions, the local disk volumes to be encrypted are also configured in a similar manner. Msdtc.exe termination syntaxĬatB ransomware excludes the following files and extensions from the encryption process. Taskill.exe is used to terminate the msdtc.exe process once the service configuration changes have been made. As a result, the system will inject the malicious oci.dll into the service’s executable ( msdtc.exe) when the MSDTC service is restarted. The malware then abuses the MSDTC service, manipulating the permissions and startup parameters. Oci.dll payloads in System32 (view from Singularity™ Console) The dropper ( versions.dll) drops the payload ( oci.dll) into the System32 directory. Upon execution, CatB payloads rely on DLL search order hijacking to drop and load the malicious payload. These are direct checks for type and size of physical RAM, type and size of physical hard disks, and checking for odd or anomalous combinations of processors and cores. Sandbox evasion inhibits the analysis process and ultimately leads to more time in the target environment for the attacker.ĬatB performs three primary checks in an attempt to determine if the payload is being executed within a virtual environment. ![]() The dropper DLL is responsible for any sandbox evasion techniques required by the threat actor. This dropper deposits the second DLL payload ( oci.dll) onto the target host. CatB Ransomware Process Graphįirst, the dropper is distributed in the form of a UPX-packed DLL ( versions.dll). ![]() A dropper DLL is responsible for initial evasive environmental checks as well as dropping and launching the second DLL, which serves the ransomware payload. In this post, we offer a technical analysis of the CatB ransomware and its abuse of the legitimate MSDTC service, describing its evasion tactics, encryption behavior, and its attempts to steal credentials and browser data.ĬatB payloads are distributed as a two DLL set. String similarities in the ransom notes as well as modifications left by the ransomware payloads suggest that CatB may be either an evolution or direct rebrand of the Pandora ransomware, which was active in early to mid-2022 and targeted the automotive industry. The group’s activities have gained attention due to their ongoing use of DLL hijacking via Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch ransomware payloads. The CatB ransomware family, sometimes referred to as CatB99 or Baxtoy, was first observed in late 2022, with campaigns being observed steadily since November.
0 Comments
Leave a Reply. |