Catchamas
The Catchamas hacking tool is an infostealer developed by the Thrip APT (Advanced Persistent Threat). This is a hacking group, which targets large companies that operate in the South East Asian region mainly. The majority of the targeted businesses operate in the military, telecommunications, healthcare and media industries. Among the more recently developed hacking tools are the Sagerunex backdoor, the Hannotog malware, and of course, the Catchamas infostealer.
It is likely that the Catchamas infostealer is planted on a compromised system with the aid of one of the backdoors developed by the Thrip hacking group. To remain hidden from the victim, the Catchamas infostealer uses the name ‘NetAdapter.’ This makes the threat sound like a legitimate service that should not be disrupted. These sketchy tricks help the Catchamas infostealer remain undetected for a prolonged period.
As soon as the Catchamas infostealer is injected into the compromised host, it will attempt to gain persistence on the system by tampering with the Windows Registry service. This allows the Catchamas threat to be executed every time the users restart their computers. Next, the Catchamas threat will begin collecting information from the infected host. The Catchamas infostealer is able to:
- Keep an eye on the active browser windows and applications to take screenshots whenever they match the threat’s criteria.
- Execute a keylogging module that would collect login credentials and other sensitive data.
- Collect the information that is stored in the user’s clipboard.
- Collect information regarding the network settings of the compromised system.
- Collect all the ‘.bmp’ and ‘.db’ files.
This custom-built infostealer is meant to be used in long-term reconnaissance operations against high-end targets with the goal of collecting sensitive information. The hacking tools used by the Thrip APT are not considered to be state-of-the-art, which means that a reputable anti-malware solution is more than capable of detecting and removing them from compromised PCs.
