The operational method of CatB ransomware has been exposed through recent research, which reveals that the threat actor behind it uses DLL search order hijacking to evade detection while launching the payload. In late 2022, researchers discovered that CatB shares similar codes with Pandora, leading to the belief that it is an evolution or rebrand of the latter.
Bronze Starlight was linked to Pandora, a China-based cybercriminal notorious for using short-lived ransomware families to hide its true objectives. According to a statement by SentinelOne researcher Jim Walter, CatB payloads rely on DLL search order hijacking via a genuine Microsoft Distributed Transaction Coordinator (MSDTC) to drop and load the malicious payload.
The dropper performs a thorough anti-analysis check before manipulating the MSDTC to inject the oci.dll file containing the ransomware into the msdtc.exe executable upon system restart. The malware abuses the MSDTC by changing the name of the account and the service start option for persistence if a restart occurs.
Despite its ability to harvest sensitive data through web browsers, CatB is unique because it does not display a ransom note and manipulates victims to make bitcoin payments.
