Full Report
A Chinese-affiliated threat actor known for its cyber-attacks in Asia has been observed exploiting a security flaw in security software from ESET to deliver a previously undocumented malware codenamed TCESB. "Previously unseen in ToddyCat attacks, [TCESB] is designed to stealthily execute payloads in circumvention of protection and monitoring tools installed on the device," Kaspersky said in an
Analysis Summary
# Threat Actor: ToddyCat (Chinese-affiliated)
## Attribution & Identity
- **Attribution:** Chinese-affiliated threat actor.
- **Known Aliases and Associated Groups:** Referred to as the "ToddyCat hacker group" and activity cluster.
## Activity Summary
ToddyCat activity dates back to at least December 2020, primarily targeting entities in the Asia-Pacific region. Recent activity involved exploiting a vulnerability in ESET security software to deliver a new malware, **TCESB**. The group is known for maintaining persistent access to environments and harvesting data on an "industrial scale" from targeted organizations.
## Tactics, Techniques & Procedures
- **Exploiting Vendor Software Flaws:** Exploiting CVE-2024-11859 in the ESET Command Line Scanner to achieve initial payload execution via DLL hijacking.
- **DLL Search Order Hijacking:** Utilizing an insecure DLL loading mechanism in the ESET software by placing a malicious `version.dll` in the current directory to override the legitimate Microsoft library.
- **Bring Your Own Vulnerable Driver (BYOVD):** Using the vulnerable **Dell DBUtilDrv2.sys** driver (vulnerable to CVE-2021-36276) to gain SYSTEM-level capabilities, likely for privilege escalation, installed via the Device Manager interface.
- **Kernel Manipulation:** TCESB malware modifies operating system kernel structures to disable notification routines (callbacks), circumventing protection and monitoring tools.
- **Payload Delivery & Execution:** Checking for an encrypted payload file every two seconds; the payload is decrypted using AES-128 and executed upon appearance.
- **MITRE ATT&CK IDs (Inferred/Mentioned):**
- BYOVD technique (related to privilege escalation via vulnerable drivers).
## Targeting
- **Sectors:** Not explicitly detailed, but activities involve general compromise and data harvesting from organizations.
- **Geography:** Asia, specifically the Asia-Pacific region.
- **Victims:** Several entities in Asia (specific named organizations not provided in the summary text).
## Tools & Infrastructure
- **Malware Families Used:**
- **TCESB:** Undocumented malware, modified from the open-source tool EDRSandBlast, used for stealthy execution and disabling monitoring callbacks.
- **Infrastructure:**
- **Vulnerable Drivers Used in Supply Chain Abuse:** Dell DBUtilDrv2.sys (vulnerable to CVE-2021-36276).
- **Defanged URLs/IPs:** (None explicitly listed for C2 or infrastructure in the provided context, focusing instead on vulnerability exploitation paths).
## Implications
ToddyCat demonstrates a sophisticated approach by chaining critical vulnerabilities: exploiting third-party security software (ESET DLL hijacking) to maintain execution, followed by leveraging well-known, unpatched vulnerabilities in third-party drivers (Dell BYOVD) to escalate privileges and achieve deep system persistence by disabling security monitoring mechanisms directly at the kernel level. Their goal of industrial-scale data harvesting remains a significant threat to organizations in their targeted region.
## Mitigations
- Monitor systems for installation events involving drivers with known vulnerabilities (e.g., Dell drivers).
- Monitor for events associated with loading Windows kernel debug symbols on devices where kernel debugging is not expected.
- Ensure ESET products are patched to address CVE-2024-11859 (The patch was released in late January 2025).
- Verify that vulnerable drivers like Dell DBUtilDrv2.sys are updated to mitigate CVE-2021-36276.
- Implement strict controls over the installation of drivers/executables in temporary directories, especially when combined with elevated privileges.