Summary
A Chinese-affiliated advanced persistent threat (APT) group known as ToddyCat has exploited a vulnerability in ESET security software to deploy a novel malware called TCESB. This malware uses a DLL search order hijacking technique and leverages a vulnerable Dell driver to disable security notifications. ESET has patched the vulnerability, but organizations should remain vigilant and monitor systems for suspicious activity.
Dont let data threats slow you downTrueNAS offers enterprise-level protection.
** Main Story**
The cybersecurity landscape constantly evolves, with new threats emerging regularly. Recently, researchers uncovered a concerning development involving a Chinese-affiliated APT group known as ToddyCat and their exploitation of a vulnerability in ESET security software. This vulnerability allowed the group to deploy a previously undocumented malware, codenamed TCESB, which exhibits advanced capabilities to evade detection and execute malicious payloads. This article delves into the details of this new threat, its implications, and the recommended security measures.
The ToddyCat Group and ESET Vulnerability
ToddyCat, active since at least December 2020, has a history of targeting entities across Asia, primarily focusing on large-scale data theft and maintaining persistent access to compromised systems. Their latest campaign involved exploiting a vulnerability (CVE-2024-11859) in ESET’s command-line scanner. This vulnerability stems from insecure loading of a system library (“version.dll”)—the scanner searches for the DLL in the current directory before checking system folders. Attackers exploited this flaw by planting a malicious version of “version.dll” in a specific directory, triggering the ESET scanner to load it instead of the legitimate library and resulting in arbitrary code execution. ESET patched this vulnerability in January 2025, but systems not updated remain at risk.
Dissecting the TCESB Malware
TCESB, a 64-bit DLL written in C++, leverages a technique called DLL Search Order Hijacking to execute malicious code within the context of the ESET scanner. Analysis reveals that TCESB is based on the open-source tool EDRSandBlast, modified by ToddyCat to enhance its stealth and functionality. The malware operates by altering operating system kernel structures, specifically disabling notification routines for events like process creation or file loading. This allows TCESB to operate undetected by security monitoring tools. Furthermore, TCESB utilizes a technique called Bring Your Own Vulnerable Driver (BYOVD), installing a vulnerable Dell driver (DBUtilDrv2.sys) known to be susceptible to privilege escalation (CVE-2021-36276). This enables TCESB to disable security notifications at the kernel level, further enhancing its stealth capabilities. Once the vulnerable driver is installed, TCESB continuously scans the system for a specific encrypted payload file. Upon detection, it decrypts the payload using AES-128 and executes it, effectively delivering the final malicious payload onto the compromised system.
Mitigating the Threat and Recommendations
The emergence of TCESB highlights the ongoing risks associated with software vulnerabilities, DLL hijacking techniques, and vulnerable drivers. Organizations must adopt a proactive approach to cybersecurity to mitigate these risks. Here are some key recommendations:
- Update ESET Products: Immediately update all ESET security software to the latest versions to patch the CVE-2024-11859 vulnerability.
- Monitor Driver Installations: Regularly monitor systems for unauthorized driver installations, particularly those with known vulnerabilities. Pay special attention to drivers like DBUtilDrv2.sys.
- Control Administrative Privileges: Implement strict access controls to limit administrative privileges. This reduces the impact of potential exploits, as many require administrator-level access.
- Educate Users: Conduct regular security awareness training to educate users about the dangers of downloading and executing files from untrusted sources, a common initial infection vector for many malware strains.
- Employ EDR Solutions: Utilize endpoint detection and response (EDR) solutions to proactively identify and mitigate suspicious activities, such as DLL hijacking and kernel-level modifications.
- Regular Vulnerability Scanning: Implement routine vulnerability scanning and penetration testing to identify and address security weaknesses in your systems before they can be exploited.
- Stay Informed: Keep abreast of the latest threat intelligence and security advisories to stay ahead of emerging threats and vulnerabilities.
The discovery of TCESB and its deployment through an ESET vulnerability underscores the importance of a layered security approach and continuous vigilance. By implementing the recommended security measures, organizations can significantly reduce their risk of falling victim to sophisticated APT attacks like those carried out by ToddyCat. Remember, cybersecurity is an ongoing process, not a one-time fix. As threat actors continue to evolve their tactics, organizations must adapt and strengthen their defenses to maintain a robust security posture.
The use of BYOVD (Bring Your Own Vulnerable Driver) by ToddyCat is a concerning reminder of how threat actors are leveraging existing vulnerabilities in unexpected ways. Proactive driver monitoring and management should be a key element of organizational security strategies.