CatB ransomware uses MSDTC DLL hijacking to drop and load its payload, then encrypts files while attempting to steal browser data and credentials. It employs sandbox evasion, DLL injection, and service abuse to survive analysis and deliver its ransom demands, including Protonmail contacts and a Bitcoin address.
#CatB #CatB99 #Baxtoy #Pandora #MSDTC #DLLHijacking #oci.dll #versions.dll #Protonmail #Bitcoin #Firefox #Chrome #Edge #WindowsMail
#CatB #CatB99 #Baxtoy #Pandora #MSDTC #DLLHijacking #oci.dll #versions.dll #Protonmail #Bitcoin #Firefox #Chrome #Edge #WindowsMail
Keypoints
- CatB uses a two-DLL dropper: a UPX-packed dropper (versions.dll) and a second payload DLL (oci.dll) dropped into System32.
- The malware relies on DLL search order hijacking to drop and load the malicious payload.
- It abuses the MSDTC service, manipulating permissions and startup parameters, then injects oci.dll into msdtc.exe upon restart.
- Sandbox/VM detection is performed via three environment checks (RAM, disk, CPU/core configurations) before execution.
- Encryption targets are explicitly excluded (e.g., .msi, .dll, .sys, .iso, NTUSER.DAT) and local drives are mapped for encryption (C:, D:, E:, F:, G:, H:, I:).
- Credential and browser data theft targets Firefox, Chrome, Edge, and IE, including bookmarks, history, and profile data, plus Windows Mail data.
- Ransom notes are appended to encrypted files; notes may reference Protonmail contacts and a BTC address, with variations including double emails.
MITRE Techniques
- [T1574.001] DLL Search Order Hijacking β The dropper relies on DLL search order hijacking to drop and load the malicious payload. βThe dropper β¦ uses DLL search order hijacking to drop and load the malicious payload.β
- [T1569.002] Create or Modify System Process β Abuses the MSDTC service, manipulating the permissions and startup parameters to enable payload execution.
- [T1055.001] DLL Injection β Injects the malicious oci.dll into the serviceβs executable (msdtc.exe) when the MSDTC service is restarted. βinject the malicious oci.dll into the serviceβs executable (msdtc.exe) when the MSDTC service is restarted.β
- [T1497] Virtualization/Sandbox Evasion β Performs three checks to determine if running inside a virtual environment. βthree primary checks β¦ determine if the payload is being executed within a virtual environment.β
- [T1027] Obfuscated/Compressed Files and Information β The dropper is UPX-packed (versions.dll).
- [T1486] Data Encrypted for Impact β Excludes specific files and encrypts local drives; βCatB ransomware excludes the following files and extensions from the encryption process: .msi, .dll, .sys, .iso and NTUSER.DAT.β
- [T1555.003] Credentials from Web Browsers β Collects browser data from Firefox, Chrome, Edge, and IE, including bookmarks, history, and profile data.
Indicators of Compromise
- [SHA1] CatB sample hashes β 1028a0e6cecb8cfc4513abdbe3b9d948cf7a5567, 8c11109da1d7b9d3e0e173fd24eb4b7462073174, and 3 more hashes
- [Email] Ransom note contact addresses β catB9991[at]protonmail[.]com, fishA001[at]protonmail[.]com
- [BTC Wallet] Payment address β bc1qakuel0s4nyge9rxjylsqdxnn9nvyhc2z6k27gz
- [File Name] Payload components β versions.dll, oci.dll, msdtc.exe
Read more: https://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/