Related China’s threat actors known for cyberattacks in Asia have been observed to exploit security flaws from ESET to provide previously undocumented malware codenames TCESB.
“We weren’t able to see it before due to ToddyCat’s attacks. [TCESB] Kaspersky said in an analysis published this week.
ToddyCat is the name given to a threat activity cluster targeting several entities in Asia, and the attack dates back at least until December 2020.
Last year, Russian cybersecurity vendors detailed the use of hacking groups for various tools to maintain permanent access to “industrial scale” breached environments and harvest data from organizations in the Asia-Pacific region.
Kaspersky said an investigation into a ToddyCat-related incident in early 2024 excavated suspicious DLL files (“version.dll”) in the TEMP directories of multiple devices. It turns out that TCESB, a 64-bit DLL, is invoked via a technique called DLL Search Order Hijacking to seize control of the execution flow.
This is said to have been achieved by taking advantage of the flaws in the ESET command line scanner. This blames a DLL named “version.dll” by first checking the files in the current directory and then checking them in the system directory.
At this stage it is worth pointing out that “version.dll” is a legitimate version check and file installation library for Microsoft located in the “C:\Windows\System32\” or “C:\Windows\Syswow64\” directory.
This loophole is exploiting the loophole, which means that an attacker can run a malicious version of “version.dll” in contrast to a legitimate response. The vulnerability tracked as CVE-2024-11859 (CVSS score: 6.8) was fixed by ESET in late January 2025 following responsible disclosure.
“The vulnerability allows an attacker with administrator privileges to load a malicious dynamic link library and execute code,” ESET said in an advisory released last week. “However, this technique did not increase privileges. Attackers would need to have administrator privileges to carry out this attack.”
In a statement shared with Hacker News, Slovak Cybersecurity Company said it will address the vulnerability by releasing fixed builds of consumer, business and server security products for the Windows operating system.
TCESB is, in its part, a modified version of an open source tool called Edrsandblast, which contains the ability to change the kernel structure of the operating system, disables notification routines (also known as callbacks). It is designed to notify the driver of specific events, such as creating processes and setting registry keys.
To pull this off, TCESB utilizes another known technique called bringing its own vulnerable driver (BYOVD) to install the vulnerable driver, Dell dbutildrv2.sys driver, within the system via the device manager interface. The DBUTILDRV2.SYS driver is susceptible to the defects in known privilege escalation tracked as CVE-2021-36276.
This is not the first Dell driver to be abused for malicious purposes. In 2022, a similar privilege escalation vulnerability (CVE-2021-21551) in another Dell driver, DBUTIL_2_3.SYS, was also exploited as part of a BYOVD attack by the North Korean-linked Lazarus group, turning off the security mechanism.
“When a vulnerable driver is installed on your system, TCESB runs a loop and checks every 2 seconds for the existence of payload files with a specific name in the current directory. There may be no payloads when the tool starts up.”
The payload artifact itself is not available, but further analysis determined that it was encrypted using AES-128 and decoded and executed as soon as it appears in the specified path.
“To detect activity for such tools, we recommend monitoring systems for installation events involving drivers with known vulnerabilities,” Kaspersky said. “It is also worth watching for events related to loading Windows kernel debug symbols on devices where debugging of the operating system kernel is not expected.”
Source link
