The actors behind CatB ransomware operations have been observed using a technique called DLL search order hijacking to evade detection and launch payloads.
CatB, also known as CatB99 and Baxtoy, emerged late last year and is said to be an “evolution or direct rebranding” of another ransomware strain known as Pandora, based on code-level similarities.
Note that Pandora’s use is due to Bronze Starlight (aka DEV-0401 or Emperor Dragonfly). This threat actor is a China-based actor known to use short-lived ransomware families as a ploy to hide its true purpose.
One of CatB’s key features is that it relies on DLL hijacking through a legitimate service called Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch its ransomware payload.
SentinelOne researcher Jim Walter said in a report published last week: “The dropper (versions.dll) drops the payload (oci.dll) into his System32 directory.”
The dropper performs anti-analysis checks to determine if the malware is running inside a virtual environment and ultimately abuses the MSDTC service to drop a malicious oci.dll containing ransomware on system reboot. into the msdtc.exe executable. .
” [MSDTC] The modified configuration is the name of the account under which the service should run, changed from Network Service to Local System, and the service start changed from demand start to autostart for persistence in the event of a reboot. It’s optional,” Minerva Labs researcher Natalie Zargarov explained in a previous analysis.
One of the distinguishing features of ransomware is the lack of a ransom note. Instead, each encrypted file is updated with a message urging the victim to make a Bitcoin payment.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
Another feature is the malware’s ability to collect sensitive data such as passwords, bookmarks, and history from web browsers Google Chrome, Microsoft Edge (and Internet Explorer), and Mozilla Firefox.
“CatB joins a long line of ransomware families that employ somewhat novel techniques and atypical behaviors, such as adding notes to the beginning of files,” said Walter. “These behaviors appear to be implemented for detection evasion and some degree of anti-analysis ploy.”
This is not the first time the MSDTC service has been weaponized for malicious purposes. In May 2021, Trustwave published a new piece of malware called his Pingback. This malware uses the same techniques to achieve persistence and bypass security solutions.
