CatB Ransomware

The CatB ransomware is a nasty threat that targets corporate entities and was initially thought to be a variant of Pandora Ransomware due to similarities between their ransom notes. However, the two are quite distinct. CatB contains anti-VM techniques for verifying execution on a 'real machine,' followed by dropping a DLL and using DLL hijacking for detection evasion purposes. The malware consists of two files: 'version.dll,' which is packed with UPX and is responsible for conducting the anti-VM checks, and 'oci.dll,' the ransomware payload, which gets executed after being dropped.

Checking for Sandbox Environments

Analysis of CatB has uncovered three different methods utilized by the threat to ensure that it is being executed on a real computer and not in a VM/sandbox. The threat will perform a Processor core check, verify the system's total available memory, and consider the size of the connected Hard Drive.

Current or modern computers typically have minimal hardware specifications. If CatB detects results that deviate too much or are below an expected value, it will treat the results as a sign of it not being run on a real system. For example, most computers will have at least two processor cores, so the presence of only one will be judged as suspicious. The same applies to physical memory size. The CatB Ransomware takes advantage of the GlobalMemoryStatusEx API function to retrieve the necessary information and will close itself if the returned results show less than 2GB of physical memory. Finally, the ransomware will not activate if it determines that its current environment has less than 50GB of hard drive space.

DLL Hijacking and Persistence

If all anti-VM checks pass, the dropper will proceed to drop the ransomware payload (oci.dll) into the C:\Windows\System32 folder and modify the configurations of the MSDTC service (the Distributed Transaction Coordinator Windows service, which is responsible for coordinating transactions between databases and Web servers). The modifications include changing the name of the account running the service from Network Service to Local System, granting it admin rights, and altering its start option from Demand start to Auto start to maintain persistence after a system restart.

Once the dropper has altered the necessary settings, it launches the service. This service will default try to load multiple DLLs from the System32 folder. This allows the threat to deposit an illegitimate DLL (such as oci.dll) into the same directory, allowing it to run corrupted code.

Encryption Routine and Ransom Demands

The encryption of the victim's data begins the moment that the CatB Ransomware payload file 'oci.dll' is loaded as part of the 'msdtc.exe' process. During its execution, CatB exhibits several characteristics that set it apart from the more common ransomware threats. First, it will enumerate the existing discs and drives and only encrypt those that are part of its hardcoded list - Disks D:\, E:\, F:\, G:\, H:\, I:\, and all the files contained in C:\Users and its sub-folders. To avoid causing any critical system errors on the device that could prevent the victims from even noticing the ransomware attack, CatB will not impact several specific file extensions - .msi, .exe, .dll, .sys, .iso, as well as the NTUSER.DAT file. Note that CatB doesn't change the names of the files it encrypts in any way.

Another deviation from the norm is observed in the way the CarB Ransomware delivers its ransom note. Instead of creating a text file with the ransom-demanding message in each folder containing locked data, the threat attaches its message to the beginning of every encrypted file. This means that victims could initially be confused about why their files appear corrupted and will only be presented with the attackers' demands when trying to open one of the impacted files. The ransom note states that CatB Ransomware uses the RAS-2048 encryption algorithm and the size of the demanded ransom will be based on the time it takes victims to pay up. The sums range from 50 Bitcoin (~$800 000) to 130 Bitcoin (~$2 Million). After five days, the hackers threatened that all encrypted data would be lost permanently. Apparently, victims can send up to 3 files to the 'catB9991@protonmail.com' email address to be decrypted for free.

The full text of CatB Ransomware's note is:

'??? What happend???
!!! Your files are encrypted !!!

All your files are protected by strong encryption with RSA-2048.
There is no public decryption software.

Program and private key, What is the price? The price depends on how fast you can pay to us.

1 day : 50 Bitcoin
2 day : 60 Bitcoin
3 day : 90 Bitcoin
4 day : 130 Bitcoin
5 day : permanent data loss !!!!

Btc Address: bc1qakuel0s4nyge9rxjylsqdxnn9nvyhc2z6k27gz
!!! After received, we will send program and private key to your IT department right now.!!!

Free decryption As a guarantee, you can send us up to 3 free decrypted files before payment.
email: catB9991@protonmail.com

!!! Do not attempt to decrypt your data using third-party software, this may result in permanent data loss.!!!
!!! Our program can repair your computer in few minutes.!!!'