Andrey Gunkin@Securelist
//
The APT group ToddyCat has been discovered exploiting a vulnerability, CVE-2024-11859, in ESET's command-line scanner (ecls) to conceal their malicious activities. This sophisticated attack, uncovered during investigations into ToddyCat-related incidents in early 2024, involved using a malicious DLL library to bypass security monitoring tools by executing malicious payloads within the context of a trusted security solution. Researchers detected a suspicious file named version.dll in the temp directories of multiple compromised systems, which was identified as a complex tool called TCESB, designed to stealthily execute payloads in circumvention of protection mechanisms.
This vulnerability stemmed from ESET's scanner's insecure loading of the system library, version.dll. The attackers leveraged a DLL-proxying technique, where the malicious DLL exports functions identical to a legitimate library, redirecting calls to the original while executing malicious code in the background. By exploiting this weakness, ToddyCat was able to mask their activities within a trusted process, making it difficult for traditional security measures to detect the threat. The vulnerability allowed the malicious DLL to be loaded instead of the legitimate one. To further enhance their stealth, ToddyCat employed the Bring Your Own Vulnerable Driver (BYOVD) technique. They deployed the Dell driver DBUtilDrv2.sys, exploiting the CVE-2021-36276 vulnerability to achieve kernel-level access and tamper with kernel memory structures. This allowed them to disable system event notifications, such as process creation or dynamic library loading, making their activities even harder to detect. Recognizing the severity of the issue, ESET promptly patched the vulnerability (CVE-2024-11859) in January 2025. References :
Classification:
Aman Mishra@gbhackers.com
//
ESET researchers have uncovered connections between RansomHub affiliates and other ransomware groups, including Medusa, BianLian, and Play. This link is established through the shared use of EDRKillShifter, a custom tool designed to disable endpoint detection and response (EDR) software on compromised systems. EDRKillShifter utilizes a "Bring Your Own Vulnerable Driver" (BYOVD) tactic, leveraging a legitimate but vulnerable driver to terminate security solutions, ensuring the smooth execution of ransomware encryptors without detection.
This sharing of tools highlights an evolving trend in the ransomware landscape, where groups collaborate and repurpose tooling from rivals. ESET's analysis reveals that even closed ransomware-as-a-service (RaaS) operations like Play and BianLian, known for their consistent use of core tools, have members utilizing EDRKillShifter in their attacks. RansomHub, a relatively new player, quickly rose to prominence in the ransomware scene after emerging in February 2024, dominating the landscape by recruiting affiliates from disrupted groups such as LockBit and BlackCat. The tool, custom-developed by RansomHub, is offered to its affiliates as part of its RaaS program. References :
Classification:
Mandvi@Cyber Security News
//
The FishMonger APT, a Chinese cyber-espionage group with ties to the cybersecurity contractor I-SOON, has been implicated in a global espionage operation known as Operation FishMedley. This campaign, active in 2022, targeted a diverse range of entities, including governments, non-governmental organizations (NGOs), and think tanks across Asia, Europe, and the United States. These findings come as the US Department of Justice unsealed an indictment against I-SOON employees for their alleged involvement in espionage campaigns spanning from 2016 to 2023.
The attacks involved sophisticated malware implants such as ShadowPad, Spyder, and SodaMaster, tools frequently associated with China-aligned threat actors. These implants facilitated data theft, surveillance, and network penetration. One case revealed attackers used the Impacket tool to escalate privileges, execute commands, and extract sensitive authentication data from a US-based NGO. ESET's independent research confirms FishMonger is an espionage team operated by I-SOON, highlighting the ongoing threat posed by China-aligned APT groups to sensitive sectors worldwide. References :
Classification: |