TCESB Malware

A Chinese-affiliated threat actor known for its cyber-attacks across Asia has been observed exploiting a vulnerability in the ESET security software to deliver a previously undocumented malware, codenamed TCESB. This newly discovered malware is designed to bypass security measures and execute payloads undetected.

ToddyCat: A Persistent Threat in Asia

ToddyCat, an advanced threat group, has been active since at least December 2020, targeting multiple entities in Asia. Recent investigations into their activities revealed their use of various tools to maintain persistent access to compromised systems and collect vast amounts of data from organizations in the Asia-Pacific region.

Exploiting the Flaw: The DLL Hijacking Technique

Security researchers investigating ToddyCat-related incidents in early 2024 discovered a suspicious DLL file, 'version.dll,' in the temp directory of multiple compromised devices. This file, identified as TCESB, was deployed using the DLL Search Order Hijacking, which allows attackers to control program execution by replacing legitimate DLL files.

The attack leverages a flaw in ESET's Command Line Scanner, which insecurely loads the 'version.dll' file. Instead of loading the legitimate version from system directories, it first checks the current directory, giving attackers an opportunity to introduce their own malicious DLL.

CVE-2024-11859: The Exploited Vulnerability

This vulnerability tracked as CVE-2024-11859 (CVSS score: 6.8), enabled attackers with administrator privileges to execute unsafe code. However, the flaw itself did not grant elevated privileges—attackers already needed admin access to exploit it. ESET patched the vulnerability in January 2025, issuing updates for its consumer, business, and server security products on Windows.

Weaponizing EDRSandBlast: How TCESB Disables Security Protections

TCESB is a modified version of the open-source tool EDRSandBlast. It manipulates kernel structures to disable security mechanisms such as notification routines (callbacks), which are key functions that alert system drivers about critical events like process creation or registry changes.

To achieve this, TCESB employs a well-known Bring Your Own Vulnerable Driver (BYOVD) technique, installing a vulnerable Dell driver (DBUtilDrv2.sys) via the Device Manager interface. This driver is affected by CVE-2021-36276, a privilege escalation vulnerability.

Dell Drivers: A Recurring Weak Link

This is not the first time Dell drivers have been abused in cyber-attacks. In 2022, the North Korea-linked Lazarus Group exploited another Dell driver vulnerability (CVE-2021-21551) to disable security mechanisms. Attackers continue to leverage outdated or vulnerable drivers to bypass security measures.

TCESB’s Execution Strategy

Once the vulnerable driver is installed, TCESB continuously checks every two seconds for a payload file with a specific name in the current directory. If the payload is not present initially, TCESB waits until it appears. The payload, encrypted using AES-128, is then decoded and executed.

Detection and Prevention Measures

• To counter such threats, security teams should:
• Monitor for driver installation events, especially those involving vulnerable drivers.
• Watch for suspicious kernel debugging activity, particularly on systems where kernel debugging is not expected.
• Ensure all security software is updated, including patches for known vulnerabilities.
• Restrict administrator privileges to prevent attackers from exploiting such vulnerabilities.

As cyber threat actors continue to evolve, staying vigilant and implementing proactive security measures is crucial in defending against sophisticated attacks like those conducted by ToddyCat.