Ethical Hacking News
New TCESB Malware Exploits Vulnerability in ESET Security Scanner
A previously undocumented malware codenamed TCESB has been found to be exploiting a security flaw in the ESET Command Line Scanner. The vulnerability was discovered as part of an investigation into a threat activity cluster known as ToddyCat, which has targeted several entities in Asia since December 2020.
The TCESB malware exploits a security flaw in the ESET Command Line Scanner (CVE-2024-11859, CVSS score: 6.8) to deliver stealthy payloads. The vulnerability allows attackers to execute their malicious version of "version.dll" as opposed to its legitimate counterpart. TCESB leverages the BYOVD technique to install a vulnerable driver in the system, exploiting a known privilege escalation flaw (CVE-2021-36276). The malware runs a loop to check for the presence of a payload file and executes it as soon as it appears. Organizations must take proactive measures to secure their Windows-based systems against such threats, including timely patching, monitoring system logs, and implementing robust security controls.
The cybersecurity landscape has recently witnessed a concerning development, as researchers have identified a previously undocumented malware codenamed TCESB, which is being used by threat actors to exploit a security flaw in the ESET Command Line Scanner. According to Kaspersky, a Russian cybersecurity vendor, this malicious software (malware) was discovered as part of an investigation into a threat activity cluster known as ToddyCat.
The ToddyCat attacks have been targeted at several entities in Asia since December 2020, with the threat actors employing various tools to maintain persistent access to compromised environments and harvest data on an "industrial scale" from organizations located in the Asia-Pacific region. In early 2024, Kaspersky researchers unearthed a suspicious DLL file named "version.dll" in the temp directory of multiple devices. This 64-bit DLL, TCESB, has been found to be launched via a technique called DLL Search Order Hijacking to seize control of the execution flow.
The vulnerability being exploited here stems from a flaw in the ESET Command Line Scanner, which insecurely loads a DLL named "version.dll" by first checking for the file in the current directory and then checking for it in the system directories. It's worth noting that "version.dll" is a legitimate version-checking and file installation library from Microsoft that resides in the "C:\Windows\system32\" or "C:\Windows\SysWOW64\" directories.
The consequence of exploiting this loophole is that attackers could execute their malicious version of "version.dll" as opposed to its legitimate counterpart. The vulnerability, tracked as CVE-2024-11859 (CVSS score: 6.8), was fixed by ESET in late January 2025 following responsible disclosure.
In a statement shared with The Hacker News, the Slovak cybersecurity company said it released fixed builds of its consumer, business, and server security products for the Windows operating system to address the vulnerability. TCESB, for its part, is a modified version of an open-source tool called EDRSandBlast that includes features to alter operating system kernel structures to disable notification routines (aka callbacks), which are designed to allow drivers to be notified of specific events, such as process creation or setting a registry key.
To pull off this attack, TCESB leverages another known technique referred to as bring your own vulnerable driver (BYOVD) to install a vulnerable driver, a Dell DBUtilDrv2.sys driver, in the system through the Device Manager interface. The DBUtilDrv2.sys driver is susceptible to a known privilege escalation flaw tracked as CVE-2021-36276.
Once the vulnerable driver is installed in the system, TCESB runs a loop in which it checks every two seconds for the presence of a payload file with a specific name in the current directory – the payload may not be present at the time of launching the tool. While the payload artifacts themselves are unavailable, further analysis has determined that they are encrypted using AES-128 and that they are decoded and executed as soon as they appear in the specified path.
To detect the activity of such tools, it's recommended to monitor systems for installation events involving drivers with known vulnerabilities," Kaspersky said. "It's also worth monitoring events associated with loading Windows kernel debug symbols on devices where debugging of the operating system kernel is not expected."
The discovery of TCESB highlights the importance of timely patching and updates in mitigating the risks posed by newly identified vulnerabilities. It also underscores the need for security awareness and education, as threat actors continue to evolve their tactics and exploit weaknesses in software and systems.
In light of this recent development, it is essential that organizations take proactive measures to secure their Windows-based systems against such threats. This includes ensuring that all security patches are applied in a timely manner, monitoring system logs for suspicious activity, and implementing robust security controls to detect and respond to potential breaches.
Furthermore, the incident serves as a reminder of the ongoing cat-and-mouse game between cybersecurity professionals and threat actors. As vulnerabilities are identified and patched, threat actors quickly adapt and find new ways to exploit them. Therefore, it is crucial that the cybersecurity community remains vigilant and continues to develop innovative solutions to stay ahead of emerging threats.
Summary:
The ESET Command Line Scanner has been found to be vulnerable to a security flaw that can be exploited by attackers to deliver a previously undocumented malware codenamed TCESB. The vulnerability was identified as CVE-2024-11859 (CVSS score: 6.8) and was fixed by ESET in late January 2025 following responsible disclosure. TCESB is designed to stealthily execute payloads in circumvention of protection and monitoring tools installed on the device, highlighting the importance of timely patching and updates in mitigating the risks posed by newly identified vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/New-TCESB-Malware-Exploits-Vulnerability-in-ESET-Security-Scanner-ehn.shtml
Published: Wed Apr 9 08:22:39 2025 by llama3.2 3B Q4_K_M
