December 8, 2023

Researchers have spotted new tactics employed by the CatB ransomware, also referred to as CatB99 or Baxtoy, which has been steadily expanding its campaign since November 2022.

Researchers noted the infamous gang has lately  shifted to DLL hijacking via Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch ransomware payloads.


Upon execution, the ransomware performs three primary checks to determine if the payload is being executed within a virtual environment.

  • Type and size of physical RAM
  • Size of physical hard disks
  • Combinations of processors and cores.

After encrypting each file, the ransomware adds a message urging the victims to make a Bitcoin payment. It stands out from other ransomware in the way that it didn’t have a ransomware note.

Another ability is to harvest sensitive data such as passwords, bookmarks, and history from web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.

While the abuse of MSDTC service to covert malicious presence is rare, one such instance was observed in a 2021 espionage campaign distributing Pingback malware. The malware targeted Windows 64-bit systems and used DLL hijacking to bypass security solutions and gain persistence. 


CatB joins the list of ransomware families that embrace semi-novel techniques and the unique behavior of appending a note to the encrypted files. Organizations that have their endpoints, networks, and systems secured can quickly respond to CatB attacks.

Indicators of Compromise

  • 1028a0e6cecb8cfc4513abdbe3b9d948cf7a5567
  • 8c11109da1d7b9d3e0e173fd24eb4b746207317
  • 951e603af10ec366ef0f258bf8d912efedbb5a4b
  • db99fc79a64873bef25998681392ac9be2c1c99c
  • dd3d62a6604f28ebeeec36baa843112df80b0933
  • 35a273df61f4506cdb286ecc40415efaa5797379b16d44c240e3ca44714f945b
  • 3661ff2a050ad47fdc451aed18b88444646bb3eb6387b07f4e47d0306aac6642
  • 512587a73cd03c6324ade468689510472c6b9e54074f3cf115aa54393b14f037
  • 83129ed45151a706dff8f4e7a3b0736557f7284769016c2fb00018d0d3932cfa
  • 9990388776daa57d2b06488f9e2209e35ef738fd0be1253be4c22a3ab7c3e1e2
  • c8e0aa3b859ac505c2811eaa7e2004d6e3b351d004739e2a00a7a96f3d12430c

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.