A Chinese language-affiliated menace actor identified for its cyber-attacks in Asia has been noticed exploiting a security flaw in security software program from ESET to ship a beforehand undocumented malware codenamed TCESB.
“Beforehand unseen in ToddyCat assaults, [TCESB] is designed to stealthily execute payloads in circumvention of safety and monitoring instruments put in on the system,” Kaspersky mentioned in an evaluation revealed this week.
ToddyCat is the title given to a menace exercise cluster that has focused a number of entities in Asia, with assaults relationship all the best way again to not less than December 2020.
Final 12 months, the Russian cybersecurity vendor detailed the hacking group’s use of assorted instruments to keep up persistent entry to compromised environments and harvest information on an “industrial scale” from organizations positioned within the Asia-Pacific area.
Kaspersky mentioned its investigation into ToddyCat-related incidents in early 2024 unearthed a suspicious DLL file (“model.dll”) within the temp listing on a number of gadgets. The 64-bit DLL, TCESB, has been discovered to be launched by way of a way referred to as DLL Search Order Hijacking to grab management of the execution movement.
This, in flip, is alleged to have been achieved by benefiting from a flaw within the ESET Command Line Scanner, which insecurely hundreds a DLL named “model.dll” by first checking for the file within the present listing after which checking for it within the system directories.
It is value stating at this stage that “model.dll” is a official version-checking and file set up library from Microsoft that resides within the “C:Windowssystem32” or “C:WindowsSysWOW64” directories.
A consequence of exploiting this loophole is that attackers might execute their malicious model of “model.dll” versus its official counterpart. The vulnerability, tracked as CVE-2024-11859 (CVSS rating: 6.8), was mounted by ESET in late January 2025 following accountable disclosure.
“The vulnerability probably allowed an attacker with administrator privileges to load a malicious dynamic-link library and execute its code,” ESET mentioned in an advisory launched final week. “This system didn’t elevate the privileges, although – the attacker would have already wanted to have administrator privileges to carry out this assault.”
In an announcement shared with The Hacker Information, the Slovak cybersecurity firm mentioned it launched mounted builds of its client, enterprise, and server security merchandise for the Home windows working system to handle the vulnerability.
TCESB, for its half, is a modified model of an open-source software referred to as EDRSandBlast that features options to change working system kernel buildings to disable notification routines (aka callbacks), that are designed to permit drivers to be notified of particular occasions, akin to course of creation or setting a registry key.
To tug this off, TCESB leverages one other identified method known as convey your personal susceptible driver (BYOVD) to put in a susceptible driver, a Dell DBUtilDrv2.sys driver, within the system by means of the Gadget Supervisor interface. The DBUtilDrv2.sys driver is vulnerable to a identified privilege escalation flaw tracked as CVE-2021-36276.
This isn’t the primary time Dell drivers have been abused for malicious functions. In 2022, an identical privilege escalation vulnerability (CVE-2021-21551) in one other Dell driver, dbutil_2_3.sys, was additionally exploited as a part of BYOVD assaults by the North Korea-linked Lazarus Group to show off security mechanisms.
“As soon as the susceptible driver is put in within the system, TCESB runs a loop through which it checks each two seconds for the presence of a payload file with a particular title within the present listing – the payload might not be current on the time of launching the software,” Kaspersky researcher Andrey Gunkin mentioned.
Whereas the payload artifacts themselves are unavailable, additional evaluation has decided that they’re encrypted utilizing AES-128 and that they’re decoded and executed as quickly as they seem within the specified path.
“To detect the exercise of such instruments, it is beneficial to observe techniques for set up occasions involving drivers with identified vulnerabilities,” Kaspersky mentioned. “It is also value monitoring occasions related to loading Home windows kernel debug symbols on gadgets the place debugging of the working system kernel isn’t anticipated.”
