May 31, 2023

Researchers have spotted new tactics employed by the CatB ransomware, also referred to as CatB99 or Baxtoy, which has been steadily expanding its campaign since November 2022.

Researchers noted the infamous gang has lately  shifted to DLL hijacking via Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch ransomware payloads.

Advertisements

Upon execution, the ransomware performs three primary checks to determine if the payload is being executed within a virtual environment.

  • Type and size of physical RAM
  • Size of physical hard disks
  • Combinations of processors and cores.

After encrypting each file, the ransomware adds a message urging the victims to make a Bitcoin payment. It stands out from other ransomware in the way that it didn’t have a ransomware note.

Another ability is to harvest sensitive data such as passwords, bookmarks, and history from web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.

While the abuse of MSDTC service to covert malicious presence is rare, one such instance was observed in a 2021 espionage campaign distributing Pingback malware. The malware targeted Windows 64-bit systems and used DLL hijacking to bypass security solutions and gain persistence. 

Advertisements

CatB joins the list of ransomware families that embrace semi-novel techniques and the unique behavior of appending a note to the encrypted files. Organizations that have their endpoints, networks, and systems secured can quickly respond to CatB attacks.

Indicators of Compromise

  • 1028a0e6cecb8cfc4513abdbe3b9d948cf7a5567
  • 8c11109da1d7b9d3e0e173fd24eb4b746207317
  • 951e603af10ec366ef0f258bf8d912efedbb5a4b
  • db99fc79a64873bef25998681392ac9be2c1c99c
  • dd3d62a6604f28ebeeec36baa843112df80b0933
  • 35a273df61f4506cdb286ecc40415efaa5797379b16d44c240e3ca44714f945b
  • 3661ff2a050ad47fdc451aed18b88444646bb3eb6387b07f4e47d0306aac6642
  • 512587a73cd03c6324ade468689510472c6b9e54074f3cf115aa54393b14f037
  • 83129ed45151a706dff8f4e7a3b0736557f7284769016c2fb00018d0d3932cfa
  • 9990388776daa57d2b06488f9e2209e35ef738fd0be1253be4c22a3ab7c3e1e2
  • c8e0aa3b859ac505c2811eaa7e2004d6e3b351d004739e2a00a7a96f3d12430c
Tags:

Leave a Reply

You may have missed

Mirai Bots Targeting IoT Devices

Mirai Bots Targeting IoT Devices

May 30, 2023
Watering hole attack from Tortoiseshell group

Watering hole attack from Tortoiseshell group

May 29, 2023
New TLD Based Phishing Campaign

New TLD Based Phishing Campaign

May 29, 2023
CrowdStrike strategy dominates MDR Market

CrowdStrike strategy dominates MDR Market

May 28, 2023
TheCyberThrone Security Week In Review–May 27, 2023

TheCyberThrone Security Week In Review–May 27, 2023

May 28, 2023
Zyxel Patches Critical Buffer Overflow Vulnerability

Zyxel Patches Critical Buffer Overflow Vulnerability

May 27, 2023
%d bloggers like this: