In a recent cybersecurity development, the Chinese-affiliated threat actor known as ToddyCat has been identified exploiting a vulnerability in ESET’s security software to deploy a novel malware strain named TCESB. This sophisticated malware is engineered to execute payloads covertly, effectively bypassing existing protection and monitoring mechanisms on targeted devices.
Background on ToddyCat
ToddyCat is a cyber-espionage group that has been active since at least December 2020, primarily targeting entities across Asia. The group’s operations have been characterized by persistent access to compromised environments and large-scale data exfiltration from organizations in the Asia-Pacific region.
Discovery of TCESB
During investigations into ToddyCat’s activities in early 2024, cybersecurity researchers uncovered a suspicious DLL file named version.dll located in the temporary directories of multiple compromised devices. This 64-bit DLL, identified as TCESB, was found to be executed through a method known as DLL Search Order Hijacking, allowing attackers to manipulate the execution flow of legitimate applications.
Exploitation of ESET Vulnerability
The attackers exploited a specific vulnerability in the ESET Command Line Scanner, which insecurely loads the version.dll file by first searching the current directory before the system directories. By placing a malicious version of version.dll in the current directory, the attackers ensured its execution over the legitimate Microsoft library. This vulnerability, designated as CVE-2024-11859 with a CVSS score of 6.8, was addressed by ESET in late January 2025 following responsible disclosure.
Technical Details of TCESB
TCESB is a modified version of the open-source tool EDRSandBlast, designed to alter operating system kernel structures to disable notification routines, also known as callbacks. These callbacks are mechanisms that allow drivers to be notified of specific events, such as process creation or registry modifications. By disabling these callbacks, TCESB effectively blinds security software to malicious activities occurring on the system.
Bring Your Own Vulnerable Driver (BYOVD) Technique
To achieve its objectives, TCESB employs the Bring Your Own Vulnerable Driver (BYOVD) technique. This involves installing a legitimate but vulnerable driver on the system to escalate privileges or disable security features. In this case, TCESB installs a vulnerable Dell driver, DBUtilDrv2.sys, through the Device Manager interface. This driver is susceptible to a known privilege escalation flaw, CVE-2021-36276, which the malware exploits to gain higher privileges and manipulate kernel structures.
Implications and Recommendations
The emergence of TCESB underscores the evolving tactics of threat actors who are increasingly leveraging vulnerabilities in security software to deploy sophisticated malware. Organizations are advised to:
– Update Security Software: Ensure that all security applications are updated to the latest versions to patch known vulnerabilities.
– Monitor for Anomalies: Implement robust monitoring to detect unusual activities, such as unauthorized driver installations or unexpected DLL files in system directories.
– Employ Defense-in-Depth Strategies: Utilize multiple layers of security controls to detect and prevent exploitation attempts at various stages.
By staying vigilant and proactive, organizations can mitigate the risks associated with advanced persistent threats like those posed by ToddyCat and the TCESB malware.
