CATB Mr. program uses DLL Hijacking for secretive implementation

21 Mar 2023 5:54 pm GMT+0000 Date Time

Last report from Sentinelone specialists reveals new findings on CATB ransomware
Sentinelone specialists have revealed new findings about the malware behind the malicious extortion campaign, Catb, which uses a method called Dll Hijacking to avoid detection and launch of a payload. According to the last report, Catb99 or Baxto, is the “evolution or direct rebranding” of another strain of the Ranger program, known as Pandora. The use of Pandora has previously been attributed to the Bronze Starlight attackers group (DEV-0401, Emperor Dragonfly) based in China. CATB replaces DLL files with its own versions through the legal service of Microsoft Distributed Transaction Coordinator (MSDTC), which is used by hackers to extract and launch the payload of the booster program. The harmfulness of the program can determine whether it is launched in a virtual environment to change its behavior in the “sandbox” and confuse cybersecurity researchers. Additionally, unlike other ransomware, CATB does not include a separate ransom note but instead writes a message to the “hat” of each encrypted file with the address of the attackers cryptocurrency and the required amount of translation. CATB ransomware has the ability to collect confidential data, such as passwords, bookmarks, history from popular Google Chrome, Microsoft Edge, Internet Explorer, and Mozilla Firefox. Sentinelone researcher notes, “Catb has joined a long row of carrier programs that use new methods and atypical behavior, such as adding notes with a redemption directly to encrypted files.” This is not the first known case of using the MSDTC service for malicious purposes. In May 2021, Trustwave reported a malicious software called Pingback, which used the same method to circumvent safety solutions and ensure constancy in the target system.

Last report from Sentinelone specialists reveals new findings on CATB ransomware

Sentinelone specialists have revealed new findings about the malware behind the malicious extortion campaign, Catb, which uses a method called Dll Hijacking to avoid detection and launch of a payload. According to the last report, Catb99 or Baxto, is the “evolution or direct rebranding” of another strain of the Ranger program, known as Pandora. The use of Pandora has previously been attributed to the Bronze Starlight attackers group (DEV-0401, Emperor Dragonfly) based in China. CATB replaces DLL files with its own versions through the legal service of Microsoft Distributed Transaction Coordinator (MSDTC), which is used by hackers to extract and launch the payload of the booster program. The harmfulness of the program can determine whether it is launched in a virtual environment to change its behavior in the “sandbox” and confuse cybersecurity researchers. Additionally, unlike other ransomware, CATB does not include a separate ransom note but instead writes a message to the “hat” of each encrypted file with the address of the attackers cryptocurrency and the required amount of translation.

CATB ransomware has the ability to collect confidential data, such as passwords, bookmarks, history from popular Google Chrome, Microsoft Edge, Internet Explorer, and Mozilla Firefox. Sentinelone researcher notes, “Catb has joined a long row of carrier programs that use new methods and atypical behavior, such as adding notes with a redemption directly to encrypted files.”

This is not the first known case of using the MSDTC service for malicious purposes. In May 2021, Trustwave reported a malicious software called Pingback, which used the same method to circumvent safety solutions and ensure constancy in the target system.

/Reports, release notes, official announcements.