{
	"id": "79095cd4-c92f-4edd-ba34-bb1b910b06b8",
	"created_at": "2026-04-06T00:15:49.371302Z",
	"updated_at": "2026-04-10T03:22:02.749226Z",
	"deleted_at": null,
	"sha1_hash": "c8985f4a64162b866f79f2f82e86f5ed58f4e3e0",
	"title": "CatB Ransomware: A New Threat Exploiting DLL Side-Loading - VMRay",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1346923,
	"plain_text": "CatB Ransomware: A New Threat Exploiting DLL Side-Loading -\r\nVMRay\r\nBy VMRay Labs\r\nPublished: 2023-03-15 · Archived: 2026-04-05 16:51:26 UTC\r\nIntroduction\r\nJust before closing off the year 2022, a new ransomware called CatB appeared on VirusTotal. Compared to other\r\nransomware, this new malware family gets shipped with unique characteristics that make this recent market joiner\r\ninteresting: Before the ransomware is executed, its loader component performs basic evasion checks to ensure the\r\nsample is not running in an analysis environment, such as a sandbox.\r\nOnce all checks are passed, the payload containing the ransomware is executed in the context of a trusted\r\nWindows service via a DLL Side-Loading attack. CatB then searches for user-specific files based on a list of\r\nextensions that can be encrypted. In contrast to behavior shown by other ransomware families, instead of dropping\r\nthe ransom note in separate files on various different locations, CatB prepends it to each of the encrypted files.\r\nAccording to the ransom notes content, the files are encrypted with RSA and a key size of 2048.\r\nEven though we haven’t observed different samples at the time of writing, within this Spotlight, we are taking a\r\nbrief look at one ransomware sample to highlight the evasion techniques as well as the DLL Side-Loading attack.\r\nhttps://www.vmray.com/cyber-security-blog/catb-ransomware-a-new-threat-exploiting-dll-side-loading/\r\nPage 1 of 9\n\nAnalysis of CatB Ransomware Loader\r\nWhile the full delivery chain of CatB is currently unknown, the infection mechanism itself can be observed within\r\nVMRay Platform: A malicious DLL, referred to as the load within this Spotlight, is executed on a system and\r\nstarts with basic evasion checks to hide its behavior from analysis environments. In total, there are three different\r\ntechniques implemented.\r\nThe first one checks the number of CPU cores that are present on the system by calling the Windows API\r\nGetSystemInfo to retrieve the respective counter. The loader expects to see at least two cores available to continue\r\nits execution (Figure 1). While many sandboxes only feature single-core VMs to lower the required resources for\r\nrunning parallel analyses, modern desktop computers or notebooks typically have multiple CPU cores.\r\nVMRay Platform provides the option to easily adjust the number of CPU cores directly within the system\r\nconfiguration (Figure 2). The modification is transparent to major parts of the VM as it only fakes the number of\r\nCPU cores for processes that are relevant to the analysis. This ensures short reaction times on changes observed in\r\nthreat trends, as well as keep maintaining short analysis times, as increasing the number of faked CPU cores does\r\nnot have a negative performance impact in the case of parallel running analyses.\r\nhttps://www.vmray.com/cyber-security-blog/catb-ransomware-a-new-threat-exploiting-dll-side-loading/\r\nPage 2 of 9\n\nThe second performed anti-VM technique checks for the amount of main memory that is available to the system.\r\nThis is utilized via calling the Windows API GlobalMemoryStatusEx, which returns a struct with various\r\ninformation about physical and virtual memory.\r\nThe loader extracts the value of the total available physical memory to verify that the system has at least 2048MB\r\nof memory installed (Figure 3). Desktop computers rarely have less, but many sandboxes do to save resources for\r\nthe execution of parallel analyses.\r\nBesides faking CPU cores, VMRay Platform also provides a configuration option to adjust the amount of memory\r\nthat is seen by relevant processes. Similar to faking the number of CPU cores, increasing the size of available\r\nmain memory does not have a negative performance impact on analyses as this is also transparent to major parts\r\nof the VM.\r\nFor the third and final check, the sample extracts the size of the hard drive as most analysis environments provide\r\nonly very limited space, which is not typical for modern computers. As for all prior checks, there is again a\r\nWindows API function called DeviceIoControl available that the loader uses to receive specifications for the\r\ndrive.\r\nBy using IOCTL_DISK_GET_DRIVE_GEOMETRY as a parameter for the API call, the system returns the\r\ngeometry data of the physical disk, which can be used to calculate the total size. The loader continues execution\r\nonly if the drive has a size of at least 50GB (Figure 5). The analysis VMs used by VMRay have disk sizes that are\r\nlarge enough not to get caught by this analysis environment check.\r\nhttps://www.vmray.com/cyber-security-blog/catb-ransomware-a-new-threat-exploiting-dll-side-loading/\r\nPage 3 of 9\n\nThe CatB ransomware sample discussed in this Spotlight uses a DLL Side-Loading vulnerability in a trusted\r\nWindows service called MSDTC (Microsoft Distributed Transaction Coordinator), which has been known for\r\nmore than 2 years. DLL Side-Loading is a well-known and easy-to-find exploitation technique that can be used by\r\nattackers to achieve code execution in the context of a trusted process as the vulnerable program tries to load one\r\nor multiple DLLs via their names from specified locations.\r\nOnce all anti-VM checks have been passed, the loader drops a file called “oci.dll” into the Windows System32\r\ndirectory, which is later on mistakenly loaded by MSDTC (Figure 6).\r\nDuring the next step, the loader modifies the MSDTC service to let it start automatically to achieve persistence,\r\neven though this might not be important for a ransomware.\r\nTo reach an execution with higher permissions on the system, the loader updates the user which is used to run the\r\nservice to LocalSystem, which is an administrative user (Figure 7). To finally trigger the execution of CatB\r\nransomware, the loader starts the service, which tries to load the previously dropped DLL due to its DLL Side-Loading vulnerability.\r\nhttps://www.vmray.com/cyber-security-blog/catb-ransomware-a-new-threat-exploiting-dll-side-loading/\r\nPage 4 of 9\n\nDropping a DLL into a trusted Windows system-based location as well as Side-Loading it into a process is\r\ndetected via VTIs (VMRay Threat Identifiers) and helps to detect the maliciousness of the loader used by the\r\nransomware (Figure 8).\r\nAnalysis of CatB Ransomware\r\nFinally, the actual payload containing CatB ransomware is executed in the context of the trusted Windows service\r\nMSDTC. An interesting observation here is that the ransomware performs exactly the same anti-VM checks, as\r\ndone by the loader (Figure 9).\r\nOnce CatB passes all the checks for the second time, the ransomware tries to find interesting files to encrypt to\r\nmake them unavailable to the user. VMRay reveals the behavior of searching for files across multiple drives in its\r\nfunction log (Figure 10).\r\nhttps://www.vmray.com/cyber-security-blog/catb-ransomware-a-new-threat-exploiting-dll-side-loading/\r\nPage 5 of 9\n\nOur analysis shows that the ransomware searches for files that are related to users and maintains two lists for this\r\npurpose. One list with the extensions of file types that will be encrypted (Figure 11, left), and another, containing\r\nextensions that are excluded and, therefore, will not be modified (Figure 11, right).\r\nBased on the exclusion list, we can assume that the malware developer does not want to damage the system or\r\ndoes not see any advantage in encrypting system files, installers, or disk images. Ransomware operators typically\r\ndo not want to destroy, they want to hold files hostage, and the operating system still needs to work for the victim\r\nhttps://www.vmray.com/cyber-security-blog/catb-ransomware-a-new-threat-exploiting-dll-side-loading/\r\nPage 6 of 9\n\nto see the ransom note.\r\nHowever, even though the ransomware maintains a list of file extensions used to search for files that will be\r\nencrypted, it will also encrypt files with extensions that are not part of that list.\r\nWhile searching for files, CatB checks each file’s size; if it is below 52MB and part of the extensions listed in\r\nFigure 11 (left) the complete file is encrypted. Otherwise, if the size of the file exceeds the limit of 52MB or does\r\nnot have a proper extension and is not part of the list in Figure 11 (right), only the first 20480 bytes are encrypted\r\n(Figure 12).\r\nWe can assume that the ransomware developer limits the file size due to the amount of performance that is needed\r\nfor encrypting large files. If the encrypted process takes too long, systems can be switched off before all of their\r\nhttps://www.vmray.com/cyber-security-blog/catb-ransomware-a-new-threat-exploiting-dll-side-loading/\r\nPage 7 of 9\n\nfiles have been encrypted.\r\nCompared to other ransomware families, CatB prepends the ransom note to each encrypted file without modifying\r\nits extension, instead of dropping a separate file and renaming the encrypted one. Victims might not notice what\r\nhappened to their files as common applications associated with the file type can fail to open them if the header,\r\nbytes used to recognize them, are gone. Looking at the content of an encrypted file reveals the ransom note\r\n(Figure 13).\r\nVMRay’s VTIs are capable of detecting the modification of multiple user files within the analysis environment,\r\neven though the malicious behavior was performed in the context of a trusted system service (Figure 14).\r\nIn addition, the VMRay Platform comes with a continuously updated set of YARA rules.\r\nConclusion\r\nhttps://www.vmray.com/cyber-security-blog/catb-ransomware-a-new-threat-exploiting-dll-side-loading/\r\nPage 8 of 9\n\nMalware families like CatB underline the importance of using an evasion-resistant sandbox. This ensures that\r\nsamples with anti-VM checks are analyzed properly and reveal their malicious behavior. VMRay provides\r\nextensive and easy-to-configure options to bypass a variety of different anti-VM checks.\r\nVMRay’s analysis report, as well as the function logging capability, assists malware analysts and researchers in\r\nquickly diving deep into the ransomware’s behavior and having a detailed look into its capabilities.\r\nReferences\r\nhttps://minerva-labs.com/blog/new-catb-ransomware-employs-2-year-old-dll-hijacking-technique-to-evade-detection\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-catb-ransomware\r\nIOCs\r\nHashes:\r\nSample (Loader):\r\n3661ff2a050ad47fdc451aed18b88444646bb3eb6387b07f4e47d0306aac6642\r\nHashes\r\nDropped Payload (Ransomware)\r\n35a273df61f4506cdb286ecc40415efaa5797379b16d44c240e3ca44714f945b\r\nRansom Note:\r\nBitcoin Wallet Address\r\nbc1qakuel0s4nyge9rxjylsqdxnn9nvyhc2z6k27gz\r\nRansom Note:\r\nEmail Contact\r\ncatB9991@protonmail.com\r\nPatrick Staubmann\r\nThreat Researcher\r\nSource: https://www.vmray.com/cyber-security-blog/catb-ransomware-a-new-threat-exploiting-dll-side-loading/\r\nhttps://www.vmray.com/cyber-security-blog/catb-ransomware-a-new-threat-exploiting-dll-side-loading/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.vmray.com/cyber-security-blog/catb-ransomware-a-new-threat-exploiting-dll-side-loading/"
	],
	"report_names": [
		"catb-ransomware-a-new-threat-exploiting-dll-side-loading"
	],
	"threat_actors": [],
	"ts_created_at": 1775434549,
	"ts_updated_at": 1775791322,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c8985f4a64162b866f79f2f82e86f5ed58f4e3e0.pdf",
		"text": "https://archive.orkl.eu/c8985f4a64162b866f79f2f82e86f5ed58f4e3e0.txt",
		"img": "https://archive.orkl.eu/c8985f4a64162b866f79f2f82e86f5ed58f4e3e0.jpg"
	}
}