CatB Ransomware Leveraging Microsoft Distributed Transaction Coordinator to Execute its Payload

The cybersecurity landscape has witnessed the emergence of a sophisticated threat actor with the appearance of CatB ransomware in late 2022.

Also known as CatB99 or Baxtoy, this malware has gained significant attention for its advanced evasion capabilities and distinctive attack methodologies.

Security researchers have noted striking similarities between CatB and Pandora ransomware, suggesting that CatB might be a strategic rebranding of the latter, as evidenced by nearly identical ransom notes and operational patterns.

CatB distinguishes itself through its sophisticated execution strategy, particularly its exploitation of DLL hijacking via Microsoft Distributed Transaction Coordinator (MSDTC) to deploy its malicious payload.

Beyond conventional file encryption, the ransomware’s capabilities extend to stealing browser data and credentials, substantially increasing its threat potential.

Its advanced detection mechanisms enable it to identify and circumvent virtual machine environments, making analysis and containment considerably more challenging for security professionals.

AttackIQ researchers have identified CatB’s connection to the suspected cyber espionage group ChamelGang (also known as CamoFei).

According to comprehensive analysis, this strategic association represents a concerning evolution in threat actor tactics—blending traditional criminal ransomware operations with sophisticated espionage objectives.

This hybrid approach effectively creates a smokescreen, where the obvious ransomware attack diverts attention from underlying intelligence gathering activities.

The impact of CatB has been substantial, targeting high-profile organizations worldwide. Its multi-stage attack methodology begins with initial reconnaissance to gather system information before executing its encryption routines.

SentinelOne’s March 2023 report, corroborated by Fortinet’s technical analysis from February 2023, details how the malware systematically undermines security defenses while establishing persistence within compromised networks.

In response to this evolving threat, AttackIQ has released an attack graph that emulates CatB’s tactics, techniques, and procedures (TTPs), enabling organizations to validate their security controls against this specific threat actor’s methodologies.

This proactive approach allows security teams to identify potential vulnerabilities before they can be exploited in real-world scenarios.

DLL Search Order Hijacking Mechanism

The cornerstone of CatB’s execution strategy lies in its exploitation of Windows DLL search order mechanisms to compromise the Microsoft Distributed Transaction Coordinator (MSDTC).

Initial access and discovery (Source – AttackIQ)

This technique, classified as T1574.001 in the MITRE ATT&CK framework, allows the malware to load a rogue DLL into a trusted system binary, effectively piggybacking on legitimate processes to execute malicious code.

The attack begins with the CatB dropper performing initial reconnaissance, collecting hardware specifications and system drive information through API calls like GetSystemInfo and DeviceIoControl.

It specifically uses GlobalMemoryStatusEx API to gather details about physical and virtual memory—a crucial step in its VM detection capability.

The DLL hijacking process exploits Windows’ predictable DLL loading sequence, where the operating system first searches the application’s directory before checking system directories.

Execution & Impact – Ransomware Execution and Encryption (Source – AttackIQ)

By placing a malicious DLL with the same name as a legitimate DLL in a location that’s searched earlier in the sequence, CatB ensures its code executes with the same privileges as the trusted application.

The following simplified code pattern illustrates how defenders might detect this activity:

# Detection of potential DLL hijacking activity
$suspiciousDllLocations = Get-ChildItem -Path "C:WindowsSystem32msdtc" -Filter "*.dll" -Recurse
$knownGoodHashes = @("hash1", "hash2", "hash3")

foreach ($dll in $suspiciousDllLocations) {
    $fileHash = Get-FileHash -Path $dll.FullName -Algorithm SHA256
    if ($fileHash.Hash -notin $knownGoodHashes) {
        Write-Output "Potential malicious DLL detected: $($dll.FullName)"
    }
}

Once the malicious DLL is loaded, CatB terminates security-related processes using PowerShell commands to disable defenses.

This creates an environment conducive to its encryption operations and browser data theft activities.

The sophisticated nature of CatB’s DLL hijacking mechanism, combined with its reconnaissance capabilities and defense evasion techniques, makes it a formidable threat requiring enhanced detection methodologies and proactive security validation.

Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day Free Trial

The post CatB Ransomware Leveraging Microsoft Distributed Transaction Coordinator to Execute its Payload appeared first on Cyber Security News.

The original article found on Cyber Security News Read More

DLL Search Order Hijacking Mechanism

Related Posts

How to Balance Password Security Against User Experience

Google Quick Share Bug Bypasses Allow Zero-Click File Transfer

CISA Releases Thirteen Industrial Control Systems Focusing Vulnerabilities & Exploits