Researchers Shed Light on CatB Ransomware's Evasion Techniques


The group responsible for the CatB ransomware scheme has been spotted utilizing a method known as DLL search order hijacking in order to avoid discovery and initiate the harmful attack.

CatB, which is also known as CatB99 and Baxtoy, has recently surfaced and is believed to be either a development or a rebranding of an existing ransomware variant called Pandora, due to similarities in their programming codes.

It is important to mention that Pandora's use has been linked to Bronze Starlight, also known as DEV-0401 or Emperor Dragonfly, a cyber threat group operating from China. This group is notorious for using ransomware that quickly fades away to mask their real intentions.

One of the important features that sets CatB apart is that it uses DLL hijacking through a legitimate service known as Microsoft Distributed Transaction Coordinator (MSDTC) to acquire and initiate the ransomware program.

According to a report released last week by SentinelOne researcher Jim Walter, CatB payloads utilize DLL search order hijacking in order to deploy and activate the malicious payload. The dropper, known as versions.dll, deposits the payload (oci.dll) into the System32 folder.

The dropper is in charge of performing measures to prevent analysis and detect whether the malware is running on a virtual environment. It then proceeds to misuse the MSDTC service to introduce a corrupted oci.dll file that includes ransomware into the msdtc.exe program when the system is rebooted.

Minerva Labs researcher Natalie reported that there have been modifications made to the configurations of MSDTC. These changes include altering the name of the account that should run the service, changing it from Network Service to Local System. Additionally, the service start option has been modified from being set to Demand start to Auto start, ensuring that if a restart occurs, persistence is maintained. In an earlier analysis, Zargarov provided an explanation.

An eyebrow-raising feature of the ransomware is that there is no ransom message included. Instead, every file that has been encrypted now includes a plea for the victim to send a Bitcoin payment.

One of the characteristics of the malware is its capacity to gather confidential information such as login credentials, webpage bookmarks and browsing history from popular web browsers like Google Chrome, Microsoft Edge (including Internet Explorer), and Mozilla Firefox.

According to Walter, CatB is part of a group of ransomware families that use unique methods and unusual actions like adding notes to the beginning of files. These tactics seem to be adopted so as to avoid detection and outsmart analysis to some extent.

The MSDTC service has previously been used for harmful intentions. Trustwave recently uncovered malware called Pingback which used the same method to avoid security measures and remain active.

Post a Comment

Previous Post Next Post