In recent cybersecurity developments, the advanced persistent threat (APT) group known as ToddyCat has been exploiting a vulnerability in ESET’s security software to deploy a novel malware dubbed TCESB. This sophisticated attack highlights the urgent need for organizations to audit their security protections and ensure they have the capabilities in place to defend against threats like TCESB.
Understanding the ESET Vulnerability
The vulnerability, identified as CVE-2024-11859, resides in ESET’s Command Line Scanner. It involves a DLL (Dynamic-Link Library) search order hijacking flaw, which allows attackers with administrative privileges to load and execute malicious DLLs by placing them in specific directories. This exploitation enables the malware to operate stealthily, evading detection by standard security measures.
Introduction of TCESB Malware
Kaspersky’s cybersecurity research team uncovered TCESB, a 64-bit DLL written in C++, during investigations into ToddyCat-related incidents. This malware is designed to covertly execute payloads, circumventing protection and monitoring tools installed on the device. Notably, TCESB is a modified version of the open-source tool EDRSandBlast, enhanced to disable system notification routines and facilitate unauthorized activities.
Exploitation Techniques
ToddyCat employs the Bring Your Own Vulnerable Driver (BYOVD) technique to exploit this vulnerability. By installing a known vulnerable driver, such as Dell’s DBUtilDrv2.sys, attackers can manipulate operating system kernel structures to disable security notifications, further embedding their malicious payloads.
ESET’s Response and Recommendations
Upon discovery, ESET promptly addressed the vulnerability by releasing patched versions of their software in January 2025. They have urged all users to update their systems to the latest versions to mitigate potential exploitation risks. ESET emphasized that while the flaw allows for malicious DLL execution, attackers would require existing administrative privileges to exploit it.
Implications for Cybersecurity
This incident highlights the evolving tactics of APT groups like ToddyCat and the necessity for organizations to remain aware. Collaborating with a cybersecurity company or consulting with a cybersecurity advisor can provide the expertise needed to navigate such threats. Implementing proper cybersecurity measures, conducting regular cybersecurity audits, and ensuring timely software updates are crucial steps in safeguarding against sophisticated cyber threats.