Threat operators behind CatB ransomware use a technique called dynamic-link library (DLL) search order hijacking to evade detection and payload disposal.
CatB, also known as CatB99 and Baxtoy, emerged late last year and is considered to be a direct evolution or rebrand of another ransomware variant known as Pandora. The use of Pandora has been attributed to the Bronze Starlight hacker group, also known as DEV-0401 or Emperor Dragonfly. This Chinese threat group uses short-lived ransomware families to hide their true intentions.
CatB relies on this type of hijacking through a legitimate service called Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch the ransomware payload. “After execution, CatB payloads rely on DLL search order hijacking to drop and load the malicious payload,” Jim Walter, a researcher at SentinelOne, said in a report published last week. “The dropper [versions.dll] put the payload [oci.dll] in the System32 directory.”
The dropper is also responsible for performing anti-analysis checks to determine if the malware is running in a virtual environment, and finally exploiting the MSDTC service to inject the malicious oci.dll that drives the ransomware into the msdtc.exe executable on reboot of the system.
“The settings [MSDTC] changed are the name of the account under which the service should run, which is changed from Network Service to Local System, and the service start option, which is changed from Demand Start to Auto Start to Persistence if a restart occurs ”, explained Natalie Zargarov, a researcher at Minerva Labs, in a previous analysis of the The HackerNews.
A striking aspect of ransomware is the absence of a ransom note. Instead, each encrypted file is updated with a message asking victims to make a Bitcoin payment. Furthermore, the malware collects sensitive information from web browsers such as Google Chrome, Microsoft Edge — and Internet Explorer — and Mozilla Firefox, including passwords, bookmarks and history. Another feature is the malware’s ability to collect confidential data, such as passwords, bookmarks, browser history.
“CatB joins a long line of ransomware families that adopt semi-new techniques and unusual behavior, such as attaching notes to file headers,” said Walter. “These behaviors appear to be implemented for the purpose of detection evasion and some level of anti-analysis trickery.”
This is not the first time that the MSDTC service has been used for malicious purposes. In May 2021, Trustwave released new malware dubbed Pingback that used the same technique to gain persistence and bypass security solutions.
Source: CisoAdvisor, TheHackerNews
