ToddyCat Attackers Exploited ESET Command Line Scanner Vulnerability to Conceal Their Tool

In a sophisticated cyberattack, the notorious ToddyCat APT group utilized a previously unknown vulnerability in ESET’s Command Line Scanner (ecls) to mask their malicious activities.

The attack came to light when researchers detected a suspicious file named version.dll in the temp directories of multiple compromised systems.

This file was identified as a tool called TCESB, designed to execute payloads undetected by bypassing security monitoring tools.

ToddyCat exploited the DLL-proxying technique to run their malicious code.

This method involves a malicious DLL exporting functions identical to a legitimate library, redirecting calls to the original for normal operation while executing malicious code in the background.

The vulnerability, tagged as CVE-2024-11859, was identified in ESET’s scanner due to its insecure loading of the system library, version.dll, allowing malicious DLLs to be loaded if placed in the same directory.

The Tools and Techniques

To achieve kernel-level access, TCESB employed the Bring Your Own Vulnerable Driver (BYOVD) technique by installing a known vulnerable driver, Dell’s DBUtilDrv2.sys, which contains the CVE-2021-36276 vulnerability.

This driver is used for updating PC components but was repurposed by the attackers to modify kernel structures, thereby evading system event notifications.

The tool’s functionality includes disabling system event notifications like process creation or module loading, using kernel memory structures identified by scanning the Windows kernel version.

It checks either from a CSV file stored in its resources or fetches a PDB file from Microsoft’s debug information server if necessary.

Indicators of Compromise

• Malicious Files Hashes:
• D38E3830C8BA3A00794EF3077942AD96 (version.dll)
• 008F506013456EA5151DF779D3E3FF0F (version.dll)
• Legitimate Files for BYOVD:
• Dell DBUtilDrv2 driver files (dbutildrv2.INF, DBUtilDrv2.cat, dbutildrv2.sys)
• Legitimate file for DLL proxying:
• ESET Command-line scanner

This discovery underscores the importance of vigilant monitoring for driver installations, particularly those with known vulnerabilities listed on projects like loldrivers.

Furthermore, regular checks for the integrity of system files and monitoring for unusual kernel debugging activities are recommended to detect such sophisticated attacks.

ESET promptly patched the vulnerability on January 21, 2025, after receiving a detailed report.

The security advisory was released on April 4, 2025, warning users about the risks associated with the previously exploited vulnerability.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!