A cybercriminal group linked to a series of attacks across Asia has been exploiting a security vulnerability in ESET’s security software to deploy a previously unknown malware strain called TCESB. This threat takes advantage of a flaw in ESET’s security tools to bypass defenses and silently execute malicious code on compromised devices.
The malware was linked to ToddyCat, a known advanced persistent threat (APT) group believed to be operating out of China.
According to a detailed analysis released by Andrey Gunkin, a researcher at cybersecurity company Kaspersky, the attackers found a way to run their malicious software using ESET’s command-line scanner (ecls), allowing it to avoid detection.
How the malware works
The hackers used a method called DLL Search Order Hijacking, a trick where Windows loads a fake version of a system file before the real one, as long as it’s in the same folder as the app trying to load it.
In this case, the malicious file was named version.dll—a real system file that usually handles version-checking tasks. But here, it carried the TCESB malware. ESET’s command-line scanner mistakenly loaded the fake version first, allowing the malware to enter the system under the guise of legitimate activity.
Kaspersky’s analysis revealed that TCESB is based on EDRSandBlast, an open-source tool known for evading endpoint detection systems. But ToddyCat didn’t just reuse it — they modified and extended it, making the new version even more capable of slipping under the radar.
To pull this off, the malware uses a technique known as BYOVD (Bring Your Own Vulnerable Driver). In simple terms, it installs an old, buggy Dell driver (DBUtilDrv2.sys, which contains the CVE-2021-36276 vulnerability) to gain access to the system.
Once installed, TCESB checks for a separate encrypted payload file every two seconds. When the attacker drops the payload into the system, the malware decrypts and executes it — all without triggering security software.
What has been done?
ESET was notified of the vulnerability in a responsible disclosure process. The flaw, now tracked as CVE-2024-11859, was patched by ESET in January after being reported. ESET confirmed this in a security advisory last week, rating it as a medium-severity issue with a CVSS score of 6.8.
What this means for users and organizations
This attack reminds us that even trusted security software can be used against us. TCESB used a chain of old vulnerabilities and clever programming to hide in plain sight, making it hard to detect using traditional tools.
Security experts recommend that IT teams:
- Update ESET software immediately to patch the vulnerability.
- Monitor systems for old or vulnerable drivers.
- Watch for unexpected downloads of Windows debug files, which could indicate that someone is probing deep into the system.
Kaspersky’s researchers also advise regularly checking all loaded system library files to ensure they are digitally signed and untampered.
