Novel CatB ransomware analyzed

Newly emergent CatB ransomware has been leveraging DLL search order hijacking through Microsoft Distributed Transaction Coordinator to bypass security systems and facilitate payload deployment, The Hacker News reports.| Believed to be an evolution of the Pandora ransomware attributed to Chinese cyberespionage operation Bronze Starlight, CatB ransomware features a dropper with anti-analysis checking capabilities that eventually exploits MSDTC to enable the injection of the oci.dll payload with the ransomware strain, according to a SentinelOne report. The report also showed that CatB ransomware has the capability to exfiltrate browser-stored passwords, history, and bookmarks, as well as forgoes the traditional ransomware note in exchange of messages in encrypted files urging Bitcoin payments. "CatB joins a long line of ransomware families that embrace semi-novel techniques and atypical behaviors such as appending notes to the head of files. These behaviors appear to be implemented in the interest of detection evasion and some level of anti-analysis trickery," said researcher Jim Walter.