135/68 Wednesday, April 9, 2025
Researchers have discovered that the APT group ToddyCat, suspected to be linked to China, is exploiting a now-patched vulnerability (CVE-2024-11859) in ESET antivirus software to stealthily load and execute malware on target systems. The vulnerability, fixed in January 2024, stems from insecure DLL search order handling, allowing attackers to trick the system into loading a malicious DLL from an unintended directory instead of a legitimate system file. Kaspersky reported finding this flaw while analyzing a suspicious version.dll file hidden in the temporary folder of an infected machine. The file turned out to be a previously unseen ToddyCat malware dubbed TCESB.
TCESB is designed to execute malicious code undetected, featuring capabilities to disable alerts and Windows kernel-level security mechanisms. It includes predefined data to match specific kernel versions, tailoring the attack accordingly. If no match is found, the malware fetches additional debugging symbols from Microsoft’s servers to align with the kernel environment. Kaspersky noted that TCESB is a new tool, never before associated with ToddyCat, and appears to be aimed at government and defense entities in the Asia-Pacific region.
In this campaign, ToddyCat also leveraged a second vulnerability, CVE-2021-36276, found in a Dell driver originally intended for BIOS and driver updates. This flaw allowed the attackers to gain kernel-level access without triggering detection. Kaspersky recommends that organizations audit for unauthorized or vulnerable driver installations, as well as unusual Windows kernel debug symbol downloads, especially on systems not meant for debugging. These indicators may signal attempts by threat actors like ToddyCat to silently gain control of infrastructure without alerting administrators.
Source https://www.darkreading.com/vulnerabilities-threats/toddycat-apt-eset-bug-silent-malware
