The CatB ransomware family, sometimes referred to as CatB99 or Baxtoy, was first observed in late 2022, with campaigns being observed steadily since November. The group’s activities have gained attention due to their ongoing use of DLL hijacking via Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch ransomware payloads.

String similarities in the ransom notes as well as modifications left by the ransomware payloads suggest that CatB may be either an evolution or direct rebrand of the Pandora ransomware, which was active in early to mid-2022 and targeted the automotive industry.

In this post, we offer a technical analysis of the CatB ransomware and its abuse of the legitimate MSDTC service, describing its evasion tactics, encryption behavior, and its attempts to steal credentials and browser data.

CatB Ransomware Technical Information

CatB payloads are distributed as a two DLL set. A dropper DLL is responsible for initial evasive environmental checks as well as dropping and launching the second DLL, which serves the ransomware payload.

First, the dropper is distributed in the form of a UPX-packed DLL (versions.dll). This dropper deposits the second DLL payload (oci.dll) onto the target host. The dropper DLL is responsible for any sandbox evasion techniques required by the threat actor. Sandbox evasion inhibits the analysis process and ultimately leads to more time in the target environment for the attacker.

CatB performs three primary checks in an attempt to determine if the payload is being executed within a virtual environment. These are direct checks for type and size of physical RAM, type and size of physical hard disks, and checking for odd or anomalous combinations of processors and cores.

Upon execution, CatB payloads rely on DLL search order hijacking to drop and load the malicious payload. The dropper (versions.dll) drops the payload (oci.dll) into the System32 directory.

The malware then abuses the MSDTC service, manipulating the permissions and startup parameters. As a result, the system will inject the malicious oci.dll into the service’s executable (msdtc.exe) when the MSDTC service is restarted. Taskill.exe is used to terminate the msdtc.exe process once the service configuration changes have been made.

CatB ransomware excludes the following files and extensions from the encryption process: .msi, .dll, .sys, .iso and NTUSER.DAT.

In addition to the hardcoded exclusions, the local disk volumes to be encrypted are also configured in a similar manner. By default, the oci.dll payload will attempt to encrypt C:users (crawl whole tree), I:, H:, G:, F:, E:, and D:.

The lack of post-encryption alterations is a trait that sets CatB apart from other contemporaries. Once encrypted, there is no blatant indicator – no separate ransom note dropped, no change to the desktop wallpaper, and no antagonizing file extensions. Instead, what could be considered the ransom note is inserted into the beginning of each encrypted file.

Per the ransom note, the only way to engage the threat actor is via email at the provided catB9991 protonmail address. Beyond that, a single Bitcoin (BTC) address is provided for payment submissions. The ransom price is set to increase each day for five days and, following the fifth day, there will be “permanent data loss” if the victim does not comply.

Based on observations, there is no evidence to indicate that CatB operators are generating payment wallets for each victim as the Bitcoin address provided is not unique to each sample.

A key file is deposited onto each infected host in c:userspublic. This file must be included in email correspondence with the attackers as it is, ideally, a unique identifier for each victim or host.

Credential and Browser Data Theft

In addition to file encryption and obfuscation, the CatB malware will attempt to gather specific, sensitive information from targeted systems. This includes browser session and credential data.

The ransomware contains functionality to discover and extract user data from Mozilla Firefox, Google Chrome, Microsoft Edge as well as Internet Explorer. Data extracted from browsers includes bookmarks, blocklists, crash logs, history, user profile data, autofill data, environmental settings, browser session keys, and more.

CatB malware will also attempt to locate and extract sensitive information from Windows Mail profile data (AppDataLocalMicrosoftWindows Mail).

Variations of CatB Threat Campaigns

Samples pulled from a November 2022 campaign feature a different contact email address, fishA001[@]protonmail.com. This later changes to the catB9991 protonmail address mentioned above. This is the only difference with regards to the ransom notes. Other details such as payment-per-day breakdowns and the BTC payment address are identical.

We have also encountered variations which include both email addresses. When these ‘double email’ notes are appended to the head of files, it looks as follows:

These ransom notes display all the same features minus the BTC payment address. Also missing is the requirement to submit the key file in cuserspublickey. Notes that are missing the key submission feature suggest that they are artifacts of an earlier ‘test’ version of the ransomware.

BTC Payment / Blockchain Status

As the time of writing, the BTC address associated with CatB ransomware have zero transactions and a zero balance.

Conclusion

CatB joins a long line of ransomware families that embrace semi-novel techniques and atypical behaviors such as appending notes to the head of files. These behaviors appear to be implemented in the interest of detection evasion and some level of anti-analysis trickery. For example, many environments rely solely on the appearance of ransom notes to alert them to the potential of a ransomware outbreak. This is not the case with CatB.

Despite that, the threat lacks in overall sophistication, and a modern, properly configured, XDR/EDR solution should alert quickly upon initiation of a CatB attack in the environment.

SentinelOne Singularity fully prevents and protects customers against malicious behaviors associated with CatB Ransomware.

Indicators of Compromise

SHA1 CatB Samples

1028a0e6cecb8cfc4513abdbe3b9d948cf7a5567
8c11109da1d7b9d3e0e173fd24eb4b7462073174
951e603af10ec366ef0f258bf8d912efedbb5a4b (early version note example)
db99fc79a64873bef25998681392ac9be2c1c99c
dd3d62a6604f28ebeeec36baa843112df80b0933

Email addresses

catB9991[at]protonmail[.]com
fishA001[at]protonmail[.]com

BTC Wallets

bc1qakuel0s4nyge9rxjylsqdxnn9nvyhc2z6k27gz

The Good

Prolific ransomware gang, DoppelPaymer (aka Grief), took a major hit this week as a number of their core members were arrested in Germany and Ukraine. In a joint operation conducted by Europol, the FBI, and the Dutch police force, two individuals have been taken into custody following multiple raids in both countries. IT experts and investigators are currently examining all seized electronic devices for forensic evidence and crypto tracing. In their statement, Europol stated that data from the resulting analysis is expected to trigger investigations in related cases.

Russian-linked DoppelPaymer has cost enterprises millions over the years. Operating as a Ransomware-as-a-Service (RaaS), they often leverage Emotet and Drydex malware variants to launch high profile, double extortion attacks focused on healthcare, government, and education sectors. In 2020, the gang crashed the operational systems of a hospital in Düsseldorf, causing critical delays in emergency treatments. The resulting death of one patient is often referred to as the first possible case of indirect casualty due to cyberattack. Past victims of the gang include SpaceX, NASA, Kia Motors, Compal, and Foxconn.

The DoppelPaymer sting operation is ongoing and authorities have issued arrest warrants for three more principal members who are still at large. Three suspects, Igor Olegovich Turashev, Irina Zemlyanikina, and Igor Garshin, are all wanted on charges including extortion, computer sabotage, spying, data encryption, and the administration of DoppelPaymer’s IT infrastructure, internal chats, and leak sites.

This operation is the latest in a global effort to crackdown on prominent ransomware syndicates. While collaboration between international authorities make impactful progress on dismantling cybercriminal networks, police urge organizations to continue reporting attacks immediately and implementing proactive measures against ever-rising ransomware attacks.

The Bad

IceFire ransomware operators have launched a new dedicated encryptor to actively target Linux systems. Reported this week by SentinelLabs, the ransomware gang recently targeted several media and entertainment enterprises across the world, encrypting their systems with the novel malware variant.

In this recent string of breaches, IceFire was observed exploiting a deserialization vulnerability tracked as CVE-2022-47986 (CVSS score 9.8) within IBM’s Aspera Faspex product (4.42 Patch Level 1) to deploy ransomware payloads. IceFire operators leveraged this flaw to execute arbitrary code on the infected system by sending a specially crafted obsolete API call. Upon execution, the IceFire ransomware works by encrypting files and adding the iFire extension to the name before deleting itself and removing the binary to wipe its own tracks.

SentinelLabs researchers explained that, in comparison to Windows, attackers have more difficulty deploying ransomware within Linux servers, especially at scale. To overcome this, attackers are increasingly turning to exploiting vulnerabilities within applications. Shodan, at the time of this publication, currently shows 158 Aspera Faspex servers exposed online mostly in the United States and China.

The shift from targeting Windows to Linux systems is a strategic one that is gaining traction across the greater cyberthreat landscape. Ransomware groups such as Cl0p, Hive, LockBit, HelloKitty, BlackMatter, RansomEXX, and AvosLocker have also made this move, seemingly to match global enterprises who have transitioned to Linux-powered virtual machines in the past few years. Researchers at SentinelLabs note that the recent evolution for IceFire is a clear indication that this trend will continue to grow in popularity throughout the rest of 2023.

The Ugly

A security advisory published by Fortinet this week disclosed a critical buffer underflow vulnerability impacting the company’s FortiOS and FortiProxy products. Tracked as CVE-2023-25610 (CVSS score 9.3), the vulnerability allows an unauthenticated attacker to execute arbitrary code or launch a denial of service (DoS) attack on the GUI of vulnerable devices.

Attention! Fortinet has released security patches for 15 new flaws, including a critical #vulnerability (CVE-2023-25610) affecting FortiOS and FortiProxy that could allow attackers to take control of affected systems.

Details: https://t.co/HqSHkSNKpS#infosec #cybersecurity

— Swati Khandelwal (@Swati_THN) March 9, 2023

This type of vulnerability is the result of programs trying to read more data from a memory buffer than what is available. In this scenario, the program must access adjacent memory locations that may lead to crashes and data loss. Buffer underflow vulnerabilities are most often leveraged by attackers for remote code execution (RCE) and DoS attacks. Fortinet strongly urges its users to deploy the security updates immediately. As a temporary workaround, users may also choose to disable access to the HTTP/HTTPS administrative interface or limit the IP addresses that have access to the interface.

Though Fortinet notes that it is not aware of any instance of exploitation of CVE-2023-25610 in the wild, this flaw closely follows on the heels of two other critical RCE flaws that impacted the company’s FortiNAC and FortiWeb products. Just four days after fixes were published for the pair of RCE flaws, a working proof-of-concept was made public resulting in immediate exploitation in the wild. Security teams are reminded that opportunistic attackers continuously sweep for vulnerabilities that allow them to gain initial access with as little work as possible. Critical-level vulnerabilities, particularly those that do not require authentication, are highly attractive to attackers and should be patched as a priority.

Today is International Women’s Day and the theme for this year is #EmbraceEquity. Even with our progress in gender equality, women are still grossly underrepresented in the workplace – only 1 in 4 C-suite executives is a woman, and only 1 in 20 is a woman of color.

In the tech industry, the story is similar. Roughly 25% of all tech workers are women and the imbalance dips to 16% female representation in software engineering. As we work to close the gap, women’s representation in tech new hires has increased slightly to 31%.

The recent spate of tech layoffs is not helping progress. Women account for 46% of those let go; a statistic that exponentially shrinks an already underrepresented group. Transformative change will take mass action from all and call for a seismic shift in the way we #EmbraceEquity in the workplace.

I am encouraged that many leaders are coming forward to find a path where they foster diverse workplaces without compromising on the quality of talent or impact. They realize that a more diverse, equitable and inclusive company is a more successful one. Women bring amazing talents, skill sets, experiences, and perspectives that are critical to success.

Here are five ways to #EmbraceEquity in the workplace and close the gender gap to ensure women have the same access to successful, fulfilling careers in tech and have game-changing impact on their workplaces and communities.

1. Shine the Spotlight | Diversify Your Talent Pipeline

More often than not, most leaders today want to take action, but first we need to sincerely address the common refrain of “we just don’t have diverse talent in our pipeline!”

This needs attention at all levels. A strong university recruiting and internship program can have a big impact in diversifying your pipeline, so invest in that. These can and will be your leaders for tomorrow and dramatically influence your talent mix so prioritize these programs in your operating plans. Growing your own talent will always be more effective on impact and your operating margin than poaching from your competition.

Next, closing the gender gap starts with fair and equitable hiring practices and tracking for action against those. Having qualified female representation both in the candidate slate and interview panel is paramount with more than one qualified woman candidate advancing to the final interview round. It’s also critical to have pipeline reporting where applicable by law to know just how many women are being considered – you can’t grow what you don’t know!

Most importantly, creating a culture where all voices are heard is central to have people from all genders, representations and backgrounds succeed. Succession planning, internal promotions, and a commitment to career pathing are important pathways to growing and retaining top talent on your bench. If you don’t create opportunities for your high-performing females one thing is for certain – your competitors will.

2. Amplify the Power of Community

The power of community invigorates and blazes trails for many across your organization to succeed. Create several platforms for women and their allies to connect with each other to share their journeys and stories and learn from mentorship opportunities. Employee-led women’s networks can foster an inclusive workplace and are critical catalysts for positive change, giving people a great way to network, learn, and celebrate what makes us different and unique. Leadership advocacy is crucial to success within a women’s network and for ensuring that the issues that matter most to gender equity are heard at the highest levels.

Look for established experts in the space to connect and collaborate with such as Women in Cybersecurity, Girls Who Code, and AnitaB.org. Sponsoring women of all levels to get engaged with non-profit advocacy groups is a great way to encourage networking while casting a wide net for new female talent.

3. Drive Accountability with Insights & Data

‘Diversity and Inclusion’ is not an initiative; it’s a way of operating. Just as we measure operational efficiency, sales success, and profit margin, if you want to truly #EmbraceEquity, you have to set reasonable goals, create meaningful KPIs, and consistently monitor progress. Statistics like overall gender percentages, percentage of female promotions, diversity mix of both internal and external talent pipelines and percentage of women in leadership positions are key metrics to measure improvement.

Just as important as measuring progress is halting any actions that could stop it. Swift action must be taken on any discriminatory behavior in the workplace.

4. Foster Equity Through Learning

A learning culture is a more equitable one. To fully #EmbraceEquity, there must be a defined DEI learning journey for all employees at all levels. It starts with leadership training and coaching and includes other key concepts like unconscious bias, microaggressions, sexual harassment, and bystander intervention.

Taking the time to listen and learn from the experiences of others might be the most insightful learning of all. Creating authentic mentoring relationships for women can increase confidence and accelerate development. Best part of the equation? Both sides of the relationship are better for the experience!

5. Make Space to Hear All Voices

When women feel they are being heard and that their voice matters, they use it more. Helping others find their voice can be as simple as asking for an opinion in a meeting or inviting someone to collaborate on a project. Seeking the power of female voices will not only improve your process, it will improve your product.

Inviting women of all levels and functions to make an impact is a win-win on all sides of the equation. You are instilling confidence, unlocking productivity, and building your leadership bench. Making a commitment to #EmbraceEquity is not just something we are doing to improve the workplace – it’s a call to action to improve the world!

About the Author

Divya Ghatak is a top tech talent executive with over 20 years of global experience. As the Chief People Officer at SentinelOne, Divya is a transformative leader who drives a people-first experience and fosters a values-driven culture. Her true passion is equity in the workplace and continuing to close the gender gap in tech for the next generation, including her lovely daughter, Ananya.

SentinelOne has been observing phishing campaigns that distribute the Remcos RAT using the DBatLoader malware loader to target predominantly Eastern European institutions and businesses. In this blog post, we summarize our observations on these campaigns to equip defenders with the information they need to protect against this threat.

DBatLoader is characterized by the abuse of public Cloud infrastructure to host its malware staging component. The feature-rich RAT Remcos is actively used by threat actors with cybercriminal and espionage motivations. Threat actors typically distribute the RAT through phishing emails and stage it on systems using a variety of forms and methods.

Examples include the use of the TrickGate loader stored in archive files, malicious ISO images, and URLs to VBScript scripts embedded in pictures. Further, the Ukrainian CERT has recently issued reports on Remcos RAT phishing campaigns targeting Ukrainian state institutions for espionage purposes using password-protected archives as email attachments.

This report compliments the available information about recent phishing campaigns that distribute Remcos by highlighting the way in which DBatLoader stages the RAT on infected systems.

DBatLoader and Remcos Phishing Emails

The phishing emails distributing DBatLoader and Remcos have attachments in the form of tar.lz archives that typically masquerade as financial documents, such as invoices or tender documentation. To make the emails look credible, we observed the threat actors using a variety of techniques.

From the recipient’s perspective, the phishing emails originate from institutions or business organizations related to the target such that sending an invoice would be realistic. The emails are typically sent to the sales departments of the targets or their main contact email addresses as disclosed online.

We observed emails sent from what seems to be compromised private email accounts and accounts from public email services that are also used by the targets and the legitimate institutions or organizations which are supposedly sending the email.

Many of the phishing emails we observed have been sent from email accounts with top-level domains of the same country as where the target is based. These emails typically do not contain any text accompanying the malicious attachment or contain text written in the language of the target’s country. In the cases where the threat actors are not masquerading the phishing emails as originating from an institution or business organization local to the target, the emails contain text written in English.

DBatLoader Staging Remcos RAT

The tar.lz archives attached to phishing emails contain DBatLoader executables. These pack Remcos and usually masquerade as Microsoft Office, LibreOffice, or PDF documents using double extensions and/or application icons.

When a user decompresses the attachment and runs the executable within, DBatLoader downloads and executes an obfuscated second-stage payload data from a public Cloud location. We observed download links to Microsoft OneDrive and Google Drive sites (under the drive.google.com and onedrive.live.com domains) with varying lifetime spans, the longest of which was more than one month.

The Cloud file storage locations that were active while we investigated contained only the second-stage DBatLoader payload data and were registered to individuals. We have no knowledge at this point whether the threat actors have been using self-registered and/or compromised Microsoft OneDrive and Google Drive credentials to host DBatLoader payload.

The malware then creates and executes an initial Windows batch script in the %Public%Libraries directory. This script abuses a known method for bypassing Windows User Account Control that involves the creation of mock trusted directories, such as %SystemRoot%System32, by using trailing spaces. This enables the attackers to conduct elevated activities without alerting users.

The script creates the mock %SystemRoot%System32 trusted directory by issuing requests directly to the file system – note the prepended ? to the directory names. It then copies into this directory a KDECO.bat batch script, the legitimate easinvoker.exe (Exchange ActiveSync Invoker) executable, and a malicious netutils.dll DLL file, which DBatLoader had previously dropped in the %Public%Libraries directory. The script then executes the easinvoker.exe copy and deletes the mock directory.

When it comes to the netutils.dll DLL, easinvoker.exe is susceptible to DLL hijacking enabling the execution of the malicious netutils.dll in its context. easinvoker.exe is an auto-elevated executable, meaning that Windows automatically elevates this process without issuing an UAC prompt if located in a trusted directory – the mock %SystemRoot%System32 directory ensures this criteria is fulfilled.

easinvoker.exe loads the malicious netutils.dll, which executes the KDECO.bat script.

As an anti-detection measure, KDECO.bat adds the C:Users directory to the Microsoft Defender exclusion list to exclude the directory from scanning.

powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:Users'"

DBatLoader establishes persistence across system reboots by copying itself in the %Public%Libraries directory and creating an autorun registry key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. This key points to an Internet Shortcut file that executes the DBatLoader executable in %Public%Libraries, which in turn executes Remcos through process injection.

We observed a wide variety of Remcos configurations, most of which configured keylogging and screenshot theft capabilities as well as duckdns dynamic DNS domains for C2 purposes.

Recommendations for Users and Administrators

To reduce risk, users should remain alert against phishing attacks and avoid opening attachments from unknown sources. It is important to note that DBatLoader and Remcos are often disguised as financial documents, emphasizing caution when handling such files.

For administrators:

• Stay vigilant against malicious network requests to public Cloud instances. The use of public Cloud infrastructure for hosting malware is an attempt to make network traffic for malware delivery look legitimate, making detection harder for defenders. This tactic is popular amongst cyber criminals and espionage threat actors, a recent example being the WIP 26 espionage activity reported by SentinelLabs and QGroup GmbH.
• Monitor for suspicious file creation activities in the %Public%Library directory and process execution activities that involve filesystem paths with trailing spaces, especially Windows . The latter is a reliable indicator of malware attempting to bypass Windows UAC by abusing mock trusted directories, such as %SystemRoot%System32.
• Consider configuring Windows UAC to Always notify, which will always alert users when a program attempts to make changes to your computers.

Conclusion

The Remcos RAT, which is distributed through phishing campaigns utilizing the DBatLoader malware loader, poses a significant threat to Eastern European organizations and enterprises. Remcos is known for its use in cybercriminal and espionage campaigns. Threat actors have used various methods, such as the TrickGate loader, malicious ISO images, and URLs embedded in pictures, to plant the RAT on systems. DBatLoader leverages public Cloud infrastructure to host its malware staging component. To protect against these attacks, administrators must remain attentive against phishing attempts, educate users to avoid opening attachments from unknown senders, and deploy advanced security measures such as XDR. Implementing XDR can provide comprehensive visibility across endpoints, cloud workloads, and network infrastructure, allowing organizations to detect and respond to threats quickly and effectively. By adopting these measures, institutions and businesses can lower their risk of falling victim to these attacks and safeguard their sensitive data.