In early 2024, cybersecurity researchers identified a sophisticated attack orchestrated by the advanced persistent threat (APT) group known as ToddyCat. This campaign exploited a vulnerability in ESET’s command line scanner, enabling the attackers to deploy malicious code stealthily within targeted systems. The flaw, designated as CVE-2024-11859, permitted the execution of harmful payloads under the guise of a trusted security application, effectively bypassing standard monitoring mechanisms.
Discovery of the Exploit
Investigators first noticed anomalous files named version.dll residing in the temporary directories of several compromised devices. Upon closer examination, these files were identified as components of a novel tool, referred to as TCESB, engineered specifically to circumvent protective measures and evade detection. This tool represented a new addition to ToddyCat’s arsenal, showcasing the group’s continuous evolution in attack methodologies.
Technical Breakdown of the Exploit Chain
The attackers employed a technique known as DLL proxying, classified as T1574 in the MITRE ATT&CK framework. This method involves creating a malicious DLL that exports all functions of a legitimate DLL, redirecting calls to the original while executing harmful operations covertly. In this instance, the TCESB tool exploited the ESET command line scanner’s insecure DLL loading mechanism. The scanner searched for the version.dll file in the current directory before checking system directories, allowing the malicious DLL to be loaded preferentially.
Further analysis revealed that TCESB was based on the open-source tool EDRSandBlast, modified to enhance its capabilities. The malware could alter Windows kernel structures to disable notifications about critical system events, such as process creation, thereby increasing its stealth.
Advanced Evasion Techniques
To further evade detection, TCESB utilized the Bring Your Own Vulnerable Driver (BYOVD) technique, identified as T1211 in the MITRE ATT&CK framework. Specifically, the attackers exploited the Dell DBUtilDrv2.sys driver, which contained the CVE-2021-36276 vulnerability. This approach allowed them to perform privileged operations at the kernel level, effectively disabling security features and maintaining persistent access to the compromised systems.
Payload Deployment Mechanism
The TCESB tool implemented a sophisticated payload execution system. It periodically checked for specific files named kesp or ecore in the current directory. Upon detection, these files were decrypted using AES-128 encryption, with the decryption key embedded in the first 32 bytes of the payload file. This multi-stage process ensured that payloads were deployed only after confirming successful initial infiltration, demonstrating ToddyCat’s meticulous operational security.
Mitigation and Recommendations
ESET addressed the vulnerability by releasing a patch on January 21, 2025, accompanied by a security advisory published on April 4, 2025. Organizations are urged to apply this patch promptly to mitigate the risk associated with CVE-2024-11859.
Security professionals should monitor systems for the installation of drivers with known vulnerabilities. Resources like the loldrivers project can assist in identifying such drivers. Additionally, monitoring Windows kernel debug symbol loading events is advisable, especially on devices where kernel debugging is unexpected.
This incident underscores the evolving tactics of advanced threat actors who exploit trusted software, including security solutions, to maintain undetected access to targeted systems. It highlights the necessity for continuous vigilance, regular software updates, and the implementation of comprehensive security measures to defend against sophisticated cyber threats.
