- Kaspersky observed a threat actor called Toddycat abusing a bug in the cybersecurity solution of ESET
- The group used a flaw now paralyzed to deploy a piece of malicious software called tcesb
- Users are advised to correct their systems and monitor threats
A component of the ESET final point protection solution has been abused to launch stealth malware on Windows devices, the researchers say.
In an in -depth report published earlier this week, Kaspersky security researchers said they had seen critical vulnerability in ESET’s command line scanning to deploy a tool called TCESB.
The vulnerability, now identified as CVE-2024-11859, allowed attackers to divert the loading process from system libraries by abusing the way in which the scanner is generally charges them. Instead of recovering the legitimate libraries of system repertoires, the scanner would first be consulted in its current work repertoire, which allowed a classic approach “Bring Your Own Vulnerable Driver”.
Todycat
The group behind the attack is nicknamed Toddycat. It is an advanced group of persistent threat (APT), observed for the first time in 2021. It is known to target government and military organizations, diplomatic entities and critical infrastructure. Its targets are mainly located in Asia and Europe, and there are indications that it could be Chinese or aligned with China. This was not confirmed, however.
In this case, the researchers have not discussed the victims, their industry or their location. However, it was said that Toddycat was able to place a malicious variant of the version. DLL alongside the ESET scanner, which forced the termination point protection tool to execute personalized malware and thus bypass the standard safety detection mechanisms.
TCESB malware is a modified version of an open source tool called Edrsandblast, said Kaspersky, saying that it includes functionalities that modify the structures of the OS nucleus and can deactivate reminders (notification routines).
ESET corrected the flaw in January 2025 after the responsible disclosure. Organizations using this popular termination point protection solution are requested to update their systems as soon as possible and closely monitor their termination points:
“To detect the activity of these tools, it is recommended to monitor installation event systems involving drivers with known vulnerabilities,” said Kaspersky. “It is also worth monitoring the events associated with loading the symbols of debugging of the Windows kernel on the devices where the kernel of the operating system is expected.”
Via The Hacker News
