The Discovery of the Vulnerability
In a recent and alarming revelation, security researchers at Kaspersky have uncovered a critical vulnerability in ESET’s command-line scanner that has been exploited by the advanced persistent threat (APT) group known as ToddyCat. This vulnerability, tracked as CVE-2024-11859, has been leveraged to deploy a sophisticated piece of malware called TCESB, designed to operate undetected on Windows devices.
The Exploitation Mechanism
The attackers utilized a technique known as DLL Search Order Hijacking to exploit the vulnerability. Here’s how it works: the ESET command-line scanner, when loading system libraries, first checks the current working directory before searching in the system directories. This behavior allowed the attackers to place a malicious version of the version.dll file in the same directory as the scanner, ensuring that the scanner would load the malicious DLL instead of the legitimate one.
The Role of BYOVD
To further their malicious objectives, the attackers employed the “Bring Your Own Vulnerable Driver” (BYOVD) technique. They installed an older, vulnerable Dell driver (DBUtilDrv2.sys) that contains the CVE-2021-36276 vulnerability. This driver enabled the malware to gain elevated access to the system, facilitating the execution of the malicious payload without triggering security alerts.
Characteristics of TCESB Malware
TCESB is a modified version of the open-source tool EDRSandBlast, known for its ability to evade endpoint detection systems. The malware has been enhanced by ToddyCat to include features that modify operating system kernel structures, specifically disabling notification routines such as process creation and load events. This allows TCESB to operate stealthily, avoiding detection by traditional security tools.
Kernel Structure Manipulation
To achieve this level of stealth, TCESB determines the version of the Windows kernel it is operating on and uses this information to locate and modify specific kernel memory structures. It does this by either using a CSV file containing kernel version offsets or by fetching the necessary information from Microsoft’s debug symbol server using PDB files.
Payload Execution
Once the vulnerable driver is installed, TCESB runs a continuous loop, checking every two seconds for the presence of an encrypted payload file. When the payload is detected, it is decrypted and executed in memory, all while remaining under the radar of security software.
Mitigation and Recommendations
ESET has already patched the vulnerability in January 2025 following a responsible disclosure process. Users are strongly advised to update their ESET software to the latest version to prevent exploitation of this flaw.
Best Practices for Protection
- Update ESET Software: Ensure all ESET products are updated to the patched versions to mitigate the risk of this vulnerability.
- Monitor for Vulnerable Drivers: Regularly check for and remove any drivers with known vulnerabilities, such as the Dell DBUtilDrv2.sys driver.
- Watch for Suspicious Activity: Monitor systems for unexpected downloads of Windows kernel debug symbols and any unusual activity related to system library loading.
- Verify System Libraries: Regularly check all loaded system library files to ensure they are digitally signed and untampered.
By following these best practices, organizations can significantly reduce the risk of falling victim to this sophisticated malware attack.
Conclusion
The exploitation of the ESET vulnerability by ToddyCat highlights the ongoing cat-and-mouse game between cybersecurity solutions and advanced threat actors. It underscores the importance of staying vigilant and ensuring that all security software is up-to-date to protect against evolving threats. As the cybersecurity landscape continues to evolve, it is crucial for users and organizations to remain proactive in their defense strategies to avoid becoming the next target.