The ToddyCat APT group has developed a complex malware tool named TCESB that utilizes DLL proxying and exploits vulnerable drivers to bypass security measures on Windows systems. This sophisticated technique allows the attackers to execute payloads stealthily and evade detection by security solutions. Affected: ESET, Windows systems
Keypoints :
- ToddyCat APT group has created a stealthy tool named TCESB.
- TCESB uses DLL proxying to execute malicious code while appearing to run legitimate functions.
- The tool contains strings linked to the open-source malware EDRSandBlast.
- Vulnerability CVE-2024-11859 was identified in ESET’s Command line scanner.
- Malicious files include two versions of ‘version.dll’; legitimate files are also used for DLL proxying and BYOVD.
MITRE Techniques :
- DLL Proxying (T1574) – The TCESB tool uses DLL proxying to redirect calls from a malicious library to a legitimate system DLL.
- Exploitation for Defense Evasion (T1211) – The tool employs a vulnerable driver (CVE-2021-36276) to manipulate kernel structures for stealth operations.
Indicator of Compromise :
- [MD5] D38E3830C8BA3A00794EF3077942AD96
- [MD5] 008F506013456EA5151DF779D3E3FF0F
- [MD5] 8795271F02B30980EBD9950FCC141304 (ESET Command-line scanner)
- [MD5] B87944DCC444E4C6CE9BB9FB8A9C0DEF (dbutildrv2.INF)
- [MD5] DE39EE41D03C97E37849AF90E408ABBE (DBUtilDrv2.cat)
Full Story: https://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/
Views: 33