CyberSecurity news
FlagThis
Andrey Gunkin@Securelist
//
The APT group ToddyCat has been discovered exploiting a vulnerability, CVE-2024-11859, in ESET's command-line scanner (ecls) to conceal their malicious activities. This sophisticated attack, uncovered during investigations into ToddyCat-related incidents in early 2024, involved using a malicious DLL library to bypass security monitoring tools by executing malicious payloads within the context of a trusted security solution. Researchers detected a suspicious file named version.dll in the temp directories of multiple compromised systems, which was identified as a complex tool called TCESB, designed to stealthily execute payloads in circumvention of protection mechanisms.
This vulnerability stemmed from ESET's scanner's insecure loading of the system library, version.dll. The attackers leveraged a DLL-proxying technique, where the malicious DLL exports functions identical to a legitimate library, redirecting calls to the original while executing malicious code in the background. By exploiting this weakness, ToddyCat was able to mask their activities within a trusted process, making it difficult for traditional security measures to detect the threat. The vulnerability allowed the malicious DLL to be loaded instead of the legitimate one.
To further enhance their stealth, ToddyCat employed the Bring Your Own Vulnerable Driver (BYOVD) technique. They deployed the Dell driver DBUtilDrv2.sys, exploiting the CVE-2021-36276 vulnerability to achieve kernel-level access and tamper with kernel memory structures. This allowed them to disable system event notifications, such as process creation or dynamic library loading, making their activities even harder to detect. Recognizing the severity of the issue, ESET promptly patched the vulnerability (CVE-2024-11859) in January 2025.
ImgSrc: media.kaspersky
References :
This vulnerability stemmed from ESET's scanner's insecure loading of the system library, version.dll. The attackers leveraged a DLL-proxying technique, where the malicious DLL exports functions identical to a legitimate library, redirecting calls to the original while executing malicious code in the background. By exploiting this weakness, ToddyCat was able to mask their activities within a trusted process, making it difficult for traditional security measures to detect the threat. The vulnerability allowed the malicious DLL to be loaded instead of the legitimate one.
To further enhance their stealth, ToddyCat employed the Bring Your Own Vulnerable Driver (BYOVD) technique. They deployed the Dell driver DBUtilDrv2.sys, exploiting the CVE-2021-36276 vulnerability to achieve kernel-level access and tamper with kernel memory structures. This allowed them to disable system event notifications, such as process creation or dynamic library loading, making their activities even harder to detect. Recognizing the severity of the issue, ESET promptly patched the vulnerability (CVE-2024-11859) in January 2025.
ImgSrc: media.kaspersky
Share:
References :
- cyberpress.org: ToddyCat Attackers Used ESET Command Line Scanner Vulnerability to Hide Their Tool
- cybersecuritynews.com: ToddyCat, the notorious APT group, used a sophisticated attack strategy to stealthily deploy malicious code in targeted systems by exploiting a weakness in ESET’s command line scanner. The vulnerability, now tracked as CVE-2024-11859, allowed attackers to bypass security monitoring tools by executing malicious payloads within the context of a trusted security solution. In early 2024,
- Securelist: While analyzing a malicious DLL library used in attacks by APT group ToddyCat, Kaspersky expert discovered the CVE 2024-11859 vulnerability in a component of ESET’s EPP solution.
- gbhackers.com: In a stark demonstration of Advanced Persistent Threat (APT) sophistication, the ToddyCat group has been discovered using a vulnerability in ESET’s Command Line Scanner (ecls) to mask their malicious activities. The attack came to light when researchers detected a suspicious file named version.dll in the temp directories of multiple compromised systems. This file was identified as a tool called TCESB,
- gbhackers.com: ToddyCat Attackers Exploited ESET Command Line Scanner Vulnerability to Conceal Their Tool
- securityonline.info: CVE-2024-11859: ToddyCat Group Hides Malware in ESET’s Scanner to Bypass Security
- ciso2ciso.com: How ToddyCat tried to hide behind AV software – Source: securelist.com
- cyberinsider.com: Kaspersky details how ToddyCat APT exploits ESET antivirus flaw to bypass Windows security.
- Cyber Security News: Detailed article on the ToddyCat group hiding malware in ESET's scanner to bypass security.
- securityonline.info: Security Online covers CVE-2024-11859, detailing how ToddyCat hides malware in ESET's scanner to bypass security.
- Cyber Security News: In a stark demonstration of Advanced Persistent Threat (APT) sophistication, the ToddyCat group has been discovered using a vulnerability in ESET's command-line scanner (CVE-2024-11859) to stealthily execute a malicious tool named TCESB.
- CyberInsider: Security researchers have uncovered a sophisticated cyberespionage technique used by the ToddyCat APT group to execute malicious payloads undetected — by hijacking a vulnerability in a command-line scanner component of ESET's own antivirus suite.
- www.csoonline.com: CSOOnline article about Chinese ToddyCat abuses ESET antivirus bug for malicious activities
- securelist.com: How ToddyCat tried to hide behind AV software
- ciso2ciso.com: How ToddyCat tried to hide behind AV software – Source: securelist.com
- support.eset.com: Advisory from ESET
- The Hacker News: The Hacker News article on New TCESB Malware Found in Active Attacks Exploiting ESET Security Scanner
- ciso2ciso.com: New TCESB Malware Found in Active Attacks Exploiting ESET Security Scanner – Source:thehackernews.com
- eSecurity Planet: ToddyCat Hackers Exploit ESET Flaw to Launch Stealthy TCESB Attack
- securityaffairs.com: An APT group exploited ESET flaw to execute malware
- www.esecurityplanet.com: ToddyCat Hackers Exploit ESET Flaw to Launch Stealthy TCESB Attack
- www.cysecurity.news: ToddyCat Hackers Exploit ESET Vulnerability to Deploy Stealth Malware TCESB