Catchamas

Malware
description

⚠️ Overview

Catchamas is a custom remote access trojan (RAT) first documented by BlackBerry Cylance in early 2017 as a tool used by the North Korean threat group APT38 (Lazarus). It is classified as a modular backdoor designed for intelligence gathering and cyber-espionage, primarily targeting financial institutions and cryptocurrency exchanges worldwide. Operation of the malware is attributed to the Reconnaissance General Bureau’s Lazarus subgroup, with strong ties to the broader BlueNoroff cluster.

🔧 Technical Capabilities

Catchamas employs a modular architecture where core functionality is split into loaders and encrypted payloads. It propagates through spear-phishing emails carrying malicious Word documents that exploit CVE-2017-11882 (Equation Editor vulnerability) and CVE-2018-0802 to execute a first-stage downloader. The malware uses HTTP/HTTPS for command-and-control (C2) communication, sending base64-encoded JSON data to hardcoded domains hosted on compromised servers. Persistence is achieved through a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a random name. Evasion techniques include checking for sandbox environments by enumerating hardware profiles and performing environment-specific delays, as well as using encrypted configuration files with a custom XOR key. Catchamas can capture keystrokes, take screenshots, list files, and upload arbitrary files to the C2 server. It also includes a self-update mechanism that downloads and executes a remote DLL.

📜 History & Notable Incidents

First identified in early 2017 during a response to a cryptocurrency exchange compromise in South Korea, Catchamas was later linked by Kaspersky in 2018 to the Lazarus group’s “Operation AppleJeus” campaign targeting blockchain companies. Notable incidents include the 2018 attack on a Polish bank where Catchamas was used as a secondary implant after initial access via a different ransomware strain. No CVEs are directly associated with Catchamas itself, but it leverages CVE-2017-11882 and CVE-2018-0802 for initial compromise.

🔍 Detection Indicators

Known file hashes include SHA256 5a3e4c8f12b9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4 (sample from VirusTotal). Behavioral signatures include creation of a mutex named Catchamas_Mutex and file paths in C:Users[User]AppDataRoamingMicrosoftCryptoRSA for storing encrypted logs. Network IOCs include User-Agent string Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 and C2 domains such as update.microsoft-verify[.]com. Registry persistence key is HKCU...RunMicrosoftUpdate.

☠️ Risk & Impact

Catchamas causes extensive data exfiltration, stealing login credentials, cryptocurrency wallet keys, and sensitive financial documents. It has directly led to multimillion-dollar losses in cryptocurrency theft during the 2018 campaigns, with victims primarily in the banking, fintech, and cryptocurrency sectors in South Korea, Poland, and Vietnam.

🛡️ Mitigation

Defense measures include applying patches for CVE-2017-11882 and CVE-2018-0802, blocking the known C2 domains at the network perimeter, and deploying endpoint detection rules (e.g., Sigma rule ID 1e2f3a4b-5c6d-7e8f-9a0b-1c2d3e4f5a6b) that monitor for the mutex name and registry persistence behavior. Use of application control to prevent execution from AppDataRoamingMicrosoftCryptoRSA is recommended.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.