Msdtc.exe termination syntaxĬatB ransomware excludes the following files and extensions from the encryption process. Taskill.exe is used to terminate the msdtc.exe process once the service configuration changes have been made. As a result, the system will inject the malicious oci.dll into the service’s executable ( msdtc.exe) when the MSDTC service is restarted.
The malware then abuses the MSDTC service, manipulating the permissions and startup parameters. Oci.dll payloads in System32 (view from Singularity™ Console) The dropper ( versions.dll) drops the payload ( oci.dll) into the System32 directory. Upon execution, CatB payloads rely on DLL search order hijacking to drop and load the malicious payload. These are direct checks for type and size of physical RAM, type and size of physical hard disks, and checking for odd or anomalous combinations of processors and cores. Sandbox evasion inhibits the analysis process and ultimately leads to more time in the target environment for the attacker.ĬatB performs three primary checks in an attempt to determine if the payload is being executed within a virtual environment. The dropper DLL is responsible for any sandbox evasion techniques required by the threat actor. This dropper deposits the second DLL payload ( oci.dll) onto the target host. CatB Ransomware Process Graphįirst, the dropper is distributed in the form of a UPX-packed DLL ( versions.dll). A dropper DLL is responsible for initial evasive environmental checks as well as dropping and launching the second DLL, which serves the ransomware payload.
In this post, we offer a technical analysis of the CatB ransomware and its abuse of the legitimate MSDTC service, describing its evasion tactics, encryption behavior, and its attempts to steal credentials and browser data.ĬatB payloads are distributed as a two DLL set. String similarities in the ransom notes as well as modifications left by the ransomware payloads suggest that CatB may be either an evolution or direct rebrand of the Pandora ransomware, which was active in early to mid-2022 and targeted the automotive industry. The group’s activities have gained attention due to their ongoing use of DLL hijacking via Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch ransomware payloads. The CatB ransomware family, sometimes referred to as CatB99 or Baxtoy, was first observed in late 2022, with campaigns being observed steadily since November.
0 kommentar(er)
