Heimdal
article featured image

Contents:

To avoid detection and launch of the payload, threat actors behind CatB ransomware used a technique called DLL search order hijacking.

Based on code-level similarities, CatB, also known as CatB99 and Baxtoy, emerged late last year and is said to be an “evolution or direct rebrand” of another ransomware strain known as Pandora.

The use of Pandora has been attributed to Bronze Starlight (aka DEV-0401 or Emperor Dragonfly). This Chinese threat actor uses short-lived ransomware families to hide its true intentions.

CatB relies on this type of hijacking via a legitimate service called Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch the ransomware payload.

Upon execution, CatB payloads rely on DLL search order hijacking to drop and load the malicious payload. The dropper (versions.dll) drops the payload (oci.dll) into the System32 directory.

Source

The dropper is also responsible for performing anti-analysis checks to determine if the malware is being executed within a virtual environment and ultimately abusing the MSDTC service to inject the rogue oci.dll leading the ransomware into the msdtc.exe executable upon System restart.

Minerva Labs researcher Natalie Zargarov explained that the [MSDTC] configurations were altered, including changing the account under which the service should run from Network Service to Local System and changing the option to start the service from Demand to Auto to ensure persistence in case a restart occurs. Each encrypted file is updated with a message urging victims to pay the ransom in Bitcoin.

In addition, the malware harvests sensitive information from web browsers such as Google Chrome, Microsoft Edge (and Internet Explorer), and Mozilla Firefox, including passwords, bookmarks, and history.

CatB joins a long line of ransomware families that embrace semi-novel techniques and atypical behaviors such as appending notes to the head of files. These behaviors appear to be implemented in the interest of detection evasion and some level of anti-analysis trickery.

Source

MSDTC has been weaponized for malicious purposes before. For example, Trustwave disclosed a novel malware dubbed Pingback in May 2021 that utilized the same technique to bypass security systems.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.  

Author Profile

Gabriella Antal

SMM & Corporate Communications Officer

linkedin icon

Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company's social media channels. Her contributions amplify the brand's voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE