We recently discovered ransomware, which performs MSDTC service DLL Hijacking to silently execute its payload. We have named this ransomware CatB, based on the contact email that the ransomware group uses. The sample was first uploaded to VT on November 23, 2022 and tagged by the VT community as a possible variant of the Pandora Ransomware. The assumed connection to the Pandora Ransomware was due to some similarities between the CatB and Pandora ransom notes. However, the similarities pretty much end there. The CatB ransomware implements several anti-VM techniques to verify execution on a “real machine”, followed by a malicious DLL drop and DLL hijacking to evade detection.
CatB ransomware contains two files, the dropper (version.dll), packed with UPX, and the ransomware payload (oci.dll). The dropper handles anti-VM checks, dropping the ransomware payload and executing it.
Anti-VM
CatB dropper implements three anti-VM/sandbox evasion techniques:
- Processor core check – Real computers nowadays all have at least two processors, so if the ransomware detects only one CPU core, that would be a strong indicator that it is currently residing on in a sandbox.The ransomware retrieves system information by GetSystemInfo API function and checks the number of processors. If there are less than two processors, it exits and does not execute.
Figure 1 – Processor check
- Total Physical memory check – As opposed to virtual machines, real machines today all have at least 2GB RAM, and usually have between 4GB and 32GB. The CatB Ransomware detects VMs/sandboxes by checking physical memory size. This is done by retrieving the information about both the physical and virtual memory using the GlobalMemoryStatusEx API function. In our case, the ransomware checks and exits if the machine has at less than 2GB of physical memory.
Figure 2 – Physical memory check
- Hard Drive size – Malware can check the machine hdd size and continue execution leaning on that parameter. This can be done by using the DeviceIoControl Api function with ‘0x70000’ passed as the dwIoControlCode parameter. CatB ransomware will execute only in a machine with at least a 50GB hard drive.
Figure 3 – Hard Disk size check
DLL Hijacking
If all anti-VM checks pass, the dropper will continue its execution and drop the ransomware payload (oci.dll) into the C:\Windows\System32 folder. Next, it looks for the MSDTC service (the Distributed Transaction Coordinator Windows service that is responsible for coordinating transactions between databases (SQL Server) and web servers) and changes its configurations.
Figure 4 – MSDTC service
The configurations changed are the name of the account under which the service should run, which is changed from Network Service to Local System, and the service start option, which is changed from Demand start to Auto start for persistency if a restart occurs.
Figure 5 – Service Configuration Changes
The account under which the service runs was changed to grant admin rights to the service, as the Network Service account runs with user rights. The cChangeing of the start type will grants the ransomware the ability to executeion every time the system restarts.
The dropper starts the service after changing its configuration. When this service starts, it attempts to load, by default, several DLLs from the System32 folder. This gives it the opportunity to plant an arbitrary DLL (in our case, oci.dll) into this folder in order to execute malicious code.
Ransomware
The Malicious oci.dll file is loaded into the msdtc.exe process, after which the encryption process starts. CatB enumerates and encrypts specific hardcoded disks and folders:
- Disk D:\
- Disk E:\
- Disk F:\
- Disk G:\
- Disk H:\
- Disk I:\
- All files under C:\Users and its sub-directories
-
Figure 6 – Hardcoded Disks
CatB avoids encrypting files with .msi, .exe, .dll, .sys, .iso extensions and the NTUSER.DAT file. An interesting thing about the CatB ransomware is that the ransom note is added into the beginning of every encrypted file and not as a separate file in every folder as most of the ransomwares do. It also doesn’t change the file extensions. This might initially confuse users who may not notice the encryption and the file will just appear to be corrupted as they would be unable to open it as its binary contents are broken. The ransom note itself looks very similarly built to Pandora and Crypt ransom notes, with some sections actually being copy/pastes from them:
Figure 7 – Encrypted file
There is no official ransom name in the note and no tor website URL. The only method available to contact the ransomware operator is via email.
Prevention
Minerva Armor’s Ransomware Protection Platform easily prevents CatB ransomware by simulating environmental data that the ransomware is actively trying to avoid.
For example when the ransomware queries for the number of processors, Minerva Armor leads it to believe that it is in an environment with only 1 CPU.
Figure 8 – Prevention
Relevant MITRE ATT&CK:
T1027 – Obfuscated Files or Information
T1036 – Masquerading
T1497 – Virtualization/Sandbox Evasion
T1082 – System Information Discovery
T1518.001 – Software Discovery: Security Software Discovery
T1486 – Data Encrypted for Impact
T1574.001 – Hijack Execution Flow: DLL Search Order Hijacking
IOC’s
- Version.dll – 3661ff2a050ad47fdc451aed18b88444646bb3eb6387b07f4e47d0306aac6642
- Oci.dll – 35a273df61f4506cdb286ecc40415efaa5797379b16d44c240e3ca44714f945b
- Bitcoin wallet address – bc1qakuel0s4nyge9rxjylsqdxnn9nvyhc2z6k27gz
- Email contact – catB9991@protonmail.com
References
https://pentestlab.blog/2020/03/04/persistence-dll-hijacking/