A newly discovered ransomware, called CatB, has been found performing MSDTC service DLL hijacking to drop and execute its payload. The sample, first discovered on November 23, 2022, is assumed to share similarities with Pandora ransomware. 

Features of CatB

CatB ransomware implements several anti-VM techniques, followed by DLL hijacking to evade detection. 
  • Before activating anti-evasion techniques, the malware checks for a processor's core, hard drive size, and physical memory of targeted machines.  
  • Once executed on victims’ machines, the ransomware avoids encrypting files with MSI, EXE, DLL, SYS, and ISO extensions and the NTUSER.DAT file.
  • Post-encryption, the ransomware adds the ransom note to the beginning of every file instead of leaving a separate note. 

Persistent detection evasion

While CatB is the latest of the sophisticated ransomware groups to have emerged, there have been several such examples observed in recent times.
  • The BlackByte group was found leveraging Bring Your Own Driver (BYOD) to bypass the security solutions. 
  • The Magniber ransomware operators were also found advertising fake antivirus and security updates to silently distribute payload onto victims’ systems. 
  • In another incident, RansomExx was upgraded in Rust language to improve its evasion capabilities. 
  • Besides, AvosLocker joined other ransomware families such as Hive, Pysa, and HelloKitty to take advantage of virtual machines as part of its evasion process. 


Threat actors will continue to make developments to improve evasion techniques. Organizations are recommended to include the IOCs to investigate the existence of such threats in their environments and evaluate for potential intrusion. Cyware’s CTIX platform helps you detect and analyze such threats before they can cause any harm to your systems.
Cyware Publisher