When it comes to Windows devices, ransomware groups largely tend to take tried and tested paths. Take the new entrant CatB ransomware, which uses an old technique of MSDTC service DLL hijacking to deploy and execute its payload.
CatB is still relatively new, with samples dating back to December 2022. However, additional samples dating back to November 2022 were discovered that might be related to the threat actor, noted researchers at Fortiguard Labs.
Unlike the established players, CatB threat actor does not offer a web portal for victims to access. Instead, they only offer contact information via an email address in the ransom note. As of now, there is no indication that the malware operators are utilizing a Ransomware-as-a-Service model.
“CatB uses a dropper packaged into a Microsoft Windows Dynamic Link Library (.dll) file. Contained within the dropper is a second .dll file that contains the payload responsible for encrypting files on the victim’s machine,” said the Fortiguard report.
“This particular version of CatB uses DLL sideloading to execute the payload’s code. DLL sideloading places a malicious DLL file in the same directory as a trusted executable. When the executable tries to load a DLL with the same name, the attacker’s DLL is loaded instead,” it added.
CatB ransomware, Windows, and DLL hijacking
The CatB dropper utilizes three anti-VM/sandbox evasion techniques to avoid detection, noted a threat analysis report by cybersecurity firm Minerva.
The first technique involves a processor core check. Since real computers nowadays typically have at least two processors, the ransomware checks for the number of CPU cores by retrieving system information via the GetSystemInfo API function.
If there are less than two processors, it will exit without executing, signaling that it is currently residing in a sandbox.
The second technique involves a total physical memory check. The CatB ransomware detects virtual machines and sandboxes by checking physical memory size. It retrieves information about the physical and virtual memory using the GlobalMemoryStatusEx API function.
If the machine has less than 2GB of physical memory, the ransomware will check and exit, indicating that it is in a virtual environment.
The third technique is to check the hard drive size of the machine. By using the DeviceIoControl API function and passing ‘0x70000’ as the dwIoControlCode parameter, the malware can check the machine’s hard drive size to determine if it should continue executing.
The CatB ransomware will only execute on a machine with a hard drive size of at least 50GB.
“CatB looks for files to encrypt beyond just the “C:\” drive, enumerating additional mounted hard drive volumes up to ‘I’,” said the Fortiguard Labs report.
“The ransomware will not encrypt anything that might be considered a functional system file that would prevent a possible recovery (and thereby eliminate any reason to pay a ransom).”
Unlike the regular ransomware gang MoD, this threat group does not deploy a ransom note in obvious locations such as the user’s desktop. Instead, every encrypted file has the ransom note prepended to the top of the file, the report added.
What exactly is DLL hijacking?
DLL hijacking is a sneaky technique used by threat actors to bypass security controls and execute malicious code on a victim’s machine. Instead of running the malicious code directly, attackers will use a legitimate application to load a malicious DLL file.
This approach can help malicious code evade application allowlisting or other automated security controls. Additionally, when the process is inspected, only the legitimate application is visible, making it difficult to detect the malicious activity.
“One reason DLL hijacking remains difficult to mitigate with automated defenses alone is the technique offers adversaries so much flexibility and variability in its implementation. And so, the cat-and-mouse game between defender and adversary continues,” said a Crowdstrike analysis of the technique, published last year.