- Kaspersky observed a threat actor called Toddycat who abuses an error in Esets CyberSecurity — solution
- The group used a now-caught error to implement a piece of malware called tcesb
- Users are advised to patch their systems and monitor for threats
A component of Eset’s final point protection solution was abused to launch Stealthy Malware on Windows devices, researchers say.
In an in -depth report published earlier this week, security researchers from Kaspersky said they saw a critical vulnerability in Eset’s command line scanner that was abused to implement a tool called TCCSB.
The vulnerability, now identified as CVE-2024-11859, enabled attackers to hijack the load process for system libraries by abusing how the ESET scanner usually loads them. Instead of retrieving legitimate libraries from system catalogs, the scanner would first look in his current working folder, which enabled a classic “Bring Your Own Woundable Driver” approach.
Toddycat
The group behind the attack is called Toddycat. It is an advanced sustained threat (APT) group that was first observed in 2021. It is known to target government and military organizations, diplomatic entities and critical infrastructure. Its targets are mostly located in Asia and Europe, and there are some indications that it can be either Chinese or China-adjusted. However, this was not confirmed.
In this case, the researchers did not discuss the victims, their industry or location. However, it was said that Toddycat was able to place a malicious variant of Version.dll along with Eset’s scanner, forcing the end point protection tool to run the custom malware, thus bypassing standard security detection mechanisms.
TCESSB-Malware is a modified version of an open source tool called EDRSANDBLAST, Kaspersky also explained, saying it includes features that change OS core structures and can disable recall (message routines).
Eset patched the error in January 2025 after responsible disclosure. Organizations using this popular endpoint point protection solution are encouraged to update their systems as soon as possible and monitor their final points closely:
“To discover the activity of such tools, it is recommended to monitor systems for installation events involving drivers with known vulnerabilities,” Kaspersky said. “It is also worth monitoring events associated with loading Windows core bugs symbols on devices where the troubleshooting of the core of the operating system is not expected.”
Via Hacker the news
