Threat Research

Adversary Quest 2022: 4 CATAPULT SPIDER eCrime Challenges | CrowdStrike

Securonix

Researchers analyze CrowdStrike’s Adversary Quest 2022 CATAPULT SPIDER track, which centers on a Dogecoin-driven ransomware campaign leveraging CHM phishing, encoded PowerShell, and a Dogecoin-based C2. The storyline uncovers multi-stage payloads, a vulnerable HTTP API for control, and a Dogescript-based downloader that culminates in a final flag discovery. #CATAPULTSPIDER #Dogecoin #Dogescript

Keypoints

  • The CATAPULT SPIDER adversary is the focus of the eCrime track, pursuing Dogecoin-driven ransomware campaigns.
  • Infection begins with a CHM-based phishing load that delivers a loader via email, targeting a host without proper EDR visibility.
  • The loader uses an HTML OBJECT tag with the hhctrl.ocx ActiveX control to trigger PowerShell via an encoded command, leading to a download from a C2 server.
  • Decoded PowerShell ultimately launches a multi-stage payload, with a second-stage control binary (control.exe) exposing a web API for unlocking and reading files, including a vulnerability to path traversal.
  • The campaign employs a Dogecoin P2P network as a covert command-and-control channel, and a complex decryption/decoding flow using AES-GCM to exfiltrate encrypted file keys.
  • A chosen-plaintext attack on the key database enables decrypting ransomware keys and recovering a flag (CS{d0g3_s0_n1c3_such_4m4z3}).
  • The final challenge reveals a Golang-based persistence mechanism that fetches a next-stage binary (shibetoshi.exe) from a remote host, culminating in a flag hidden behind a YouTube link.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The actor distributes a new malware loader via email. “CATAPULT SPIDER is running a new malware campaign… they are now distributing a new malware loader via email.”
  • [T1059.001] PowerShell – The loader embeds a Windows PowerShell command, including encoded content, e.g., “The command calls PowerShell with the parameter -EncodedCommand.”
  • [T1027] Obfuscated/Compressed Data – The loader encodes payloads in Base64 and UTF-16LE; “The first line of the script contains another Base64 encoded string… encoded using UTF-16 little-endian.”
  • [T1486] Data Encrypted for Impact – The ransomware encrypts data, “the customer data encrypted” and “encrypted their data.”
  • [T1095] Non-Application Layer Protocol – The Dogecoin peer-to-peer network is used as a C2 channel, e.g., “connects to the Dogecoin peer-to-peer network” and “uses the Bitcoin-like protocol.”
  • [T1105] Ingress Tool Transfer – The loader downloads “further components from their command-and-control (C2) server.”
  • [T1218.001] Signed Binary Proxy Execution: hhctrl.ocx – The HTML FILE uses an ActiveX control to start arbitrary commands via a click on an HTML OBJECT tag referencing hhctrl.ocx. “HTML OBJECT tag… references the hhctrl.ocx ActiveX control that can be used to start arbitrary commands…”
  • [T1059.005] Visual Basic / JavaScript Context (Dogescript/Node.js) – The group loads and executes embedded Dogescript/Node.js components via nexe, which compiles to a binary from a Node.js app. “Dogescript language compiles to JavaScript and can then be executed…”

Indicators of Compromise

  • [IP Address] 116.202.161.100 – C2 server hosting ransom note/loader components.
  • [IP Address] 95.216.185.231 – Host for subsequent stage delivery (shibetoshi.exe URL).
  • [Domain] seed.multidoge.org – Dogecoin seed node referenced in the Dogecoin-based C2 context.
  • [URL] http://116.202.161.100:42666/F5D3271FE6D59C185D85353DFB8794A4FF9B7BDD5661FCCF356766998B6D276B/ransomnote_flag.exe – URL to retrieve ransomnote_flag.exe.
  • [URL] http://95.216.185.231:8080/shibetoshi.exe – Next-stage download URL used by the decrypt/payload phase.
  • [File] ransomnote_flag.exe – Downloaded stage component for the ransomware campaign.
  • [File] doc.htm, doc1.htm – HTML documents containing the exploit/loader logic (including hhctrl.ocx reference).
  • [File] dogecoin.png, doge.jpg – Embedded assets referenced by the CHM-based loader.
  • [SHA-256] 9e32ac74b80976ca8f5386012bae9676decb23713443e81cb10f4456bf0e7e0b – Sample file hash associated with the loader/sample.
  • [File] C:Windowsflag.txt – Targeted flag filename used in the unlock/readfile flow.

Read more: https://www.crowdstrike.com/blog/catapult-spider-adversary-quest-walkthrough-2022/