APT Group ToddyCat Exploits ESET Vulnerability to Deploy Malware

Article Highlights
Off On

In 2024, cybersecurity investigators stumbled upon an alarming development when they discovered suspicious files labeled “version.dll” in the temporary directories of multiple compromised devices. These files were part of an advanced persistent threat (APT) group’s sophisticated attack strategy involving the deployment of malicious tools by exploiting a vulnerability in ESET’s command line scanner. The vulnerability, identified as CVE-2024-11859, allowed attackers to circumvent security monitoring by executing harmful payloads within a trusted security solution. This breach underscored the necessity for heightened vigilance and the continuous advancement of cybersecurity measures.

The Vulnerability and Exploitation

The core of the exploitation involved a tool known as TCESB, which was meticulously crafted to bypass protection mechanisms. Hackers leveraged the vulnerability in ESET’s command line scanner (ecls), which insecurely loaded Dynamic Link Library (DLL) files. ESET promptly addressed this security flaw by issuing a patch on January 21, 2025, after the registration of CVE-2024-11859. This proactive approach was critical in mitigating the risks associated with the vulnerability.

The exploitation process employed by the attackers revolved around DLL proxying, a method cataloged under MITRE ATT&CK T1574. This approach enabled the TCESB tool to redirect calls to legitimate DLL files while concurrently executing malicious operations. This deception stemmed from the ESET scanner’s insecure loading mechanism, which inadvertently allowed the malicious DLL to be loaded. Such sophisticated techniques exemplify the evolving nature of cyber threats and the innovative methods malicious actors use to maintain system access undetected.

Advanced Techniques Employed

Detailed analysis of the TCESB tool revealed it was developed using the open-source tool EDRSandBlast, but with enhanced functionalities tailored to manipulate Windows kernel structures and disable system event notifications. The attackers adopted the Bring Your Own Vulnerable Driver (BYOVD) technique, specifically exploiting the CVE-2021-36276 vulnerability in the Dell DBUtilDrv2.sys driver. This technique permitted the attackers to execute privileged kernel-level operations, significantly elevating the threat posed by the tool.

To ensure successful payload execution, the TCESB tool continuously monitored the current directory for specific files named “kesp” or “ecore” every two seconds. Upon detection, these files were decrypted using AES-128 encryption with the key stored in the payload file’s first 32 bytes. This meticulous approach ensured that the payload was deployed only after an initial successful infiltration, highlighting the attackers’ adeptness in maintaining stealth and persistence within compromised systems.

Mitigation and Future Considerations

The sophistication of the ToddyCat group’s attack strategy signals a critical need for enhanced vigilance among security professionals. It is imperative to monitor installation events involving known vulnerable drivers and keep an eye on Windows kernel debug symbol loading events, especially on systems not expected to undergo kernel debugging. Resources such as the loldrivers project can be instrumental in identifying and mitigating the risks associated with such drivers. This incident sheds light on the ever-advancing tactics used by adept threat actors, who successfully exploit even trusted security solutions to remain undetected within systems. This reinforces the necessity for continuous monitoring, adaptation, and the implementation of robust cybersecurity measures to counter sophisticated threats effectively. Organizations must invest in proactive security measures and remain informed about the latest vulnerabilities and exploitation techniques employed by cyber adversaries to protect their digital assets.

Conclusion and Strategic Response

In 2024, cybersecurity researchers made a startling discovery when they found suspicious files named “version.dll” in the temporary directories of several infiltrated devices. These files were linked to a sophisticated attack strategy executed by an advanced persistent threat (APT) group. The APT group exploited a vulnerability, designated as CVE-2024-11859, in ESET’s command line scanner to deploy malicious tools. This vulnerability allowed the attackers to bypass security monitoring by running harmful payloads within a trusted security solution, making detection substantially more challenging. This incident highlighted the critical need for increased vigilance and the continuous enhancement of cybersecurity defenses. The discovery stressed the importance of staying ahead in the constant battle against cyber threats, ensuring that security measures are regularly updated and refined. It served as a reminder that cybersecurity is a never-ending endeavor, requiring constant innovation and diligence to protect sensitive information and systems from sophisticated adversaries.

Explore more

How Does BreachLock Lead in Offensive Cybersecurity for 2025?

Pioneering Proactive Defense in a Threat-Laden Era In an age where cyber threats strike with alarming frequency, costing global economies billions annually, the cybersecurity landscape demands more than passive defenses—it craves aggressive, preemptive strategies. Imagine a world where organizations can anticipate and neutralize attacks before they even materialize. This is the reality BreachLock, a recognized leader in offensive security, is

Why Are Companies Hiring Recruiters Amid Market Uncertainty?

In a world where headlines scream of layoffs and hiring freezes, a startling statistic emerges: job postings for recruiters have surged by 14.5% year-over-year, signaling a surprising trend. Amidst economic turbulence, companies across industries are not just holding steady but actively seeking talent scouts to bolster their teams, raising a critical question about their strategy. This unexpected trend prompts us

What Is Workato’s Pioneering AI Agent Platform for Enterprises?

I’m thrilled to sit down with Aisha Amaira, a renowned MarTech expert whose passion for blending technology with marketing has transformed how businesses harness customer insights. With her deep expertise in CRM marketing technology and customer data platforms, Aisha brings a unique perspective on the intersection of AI and enterprise solutions. Today, we’ll dive into her thoughts on Workato’s Enterprise

How Are CISOs Enhancing Cloud Security Amid CISA Delays?

Navigating Cloud Security Challenges in Uncertain Times In an era where cyber threats loom larger than ever, with cloud-based systems becoming the backbone of organizational operations, Chief Information Security Officers (CISOs) face an unprecedented challenge made worse by the expiration of key federal cybersecurity legislation. This expiration has left a void in critical threat intelligence sharing, compounded by a government

Ready to Trade In Your Old Windows 10 for Big Savings?

Introduction Imagine waking up to find that your trusty laptop, running on Windows 10, is no longer receiving critical security updates, leaving it vulnerable to cyber threats. With Microsoft officially ending support for Windows 10, millions of users face the pressing need to upgrade to ensure safety and compatibility. This shift marks a significant moment for device owners, as clinging