The CatB ransomware, also referred to as CatB99 or Baxtoy, has been steadily expanding its campaign since November 2022. As it continues to target organizations and individuals across the globe, a new evasion tactic employed by the ransomware has come to the notice of researchers.
What’s the update?
- According to researchers at SentinelOne, the infamous gang has lately shifted to DLL hijacking via Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch ransomware payloads.
- Upon execution, the ransomware performs three primary checks to determine if the payload is being executed within a virtual environment. These include checking the type and size of physical RAM, the size of physical hard disks, and evaluating the anomalous combinations of processors and cores.
- One of the interesting aspects observed in the latest update is the absence of a ransom note. After encrypting each file, the ransomware adds a message urging the victims to make a Bitcoin payment.
- Another trait is the malware’s ability to harvest sensitive data such as passwords, bookmarks, and history from web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.
Past activity involving the abuse of MSDTC
- While the abuse of MSDTC service to covert malicious presence is rare, one such instance was observed in a 2021 espionage campaign distributing Pingback malware.
- The malware targeted Windows 64-bit systems and used DLL hijacking to bypass security solutions and gain persistence.
Summing up
CatB joins the list of ransomware families that embrace semi-novel techniques and the unique behavior of appending a note to the encrypted files. Organizations that have their endpoints, networks, and systems secured can quickly respond to CatB attacks. In addition, they can look at IOCs to understand the behavior associated with CatB ransomware.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/f64b_shutterstock_1211469496.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_231394741.jpg)
