A vulnerability impacting multiple ESET products has been exploited by an APT group to load malicious DLL libraries and silently deploy malware, Kaspersky reports.
The issue, tracked as CVE-2024-11859, is described as a DLL search order hijacking flaw that could be exploited by attackers with administrative privileges for arbitrary code execution.
According to Kaspersky, the bug was exploited by a sophisticated APT group tracked as ToddyCat to deploy TCESB, a complex tool written in C++ that can “stealthily execute payloads in circumvention of protection and monitoring tools installed on the device”.
Analysis of 2024 ToddyCat-related incidents led Kaspersky to the discovery of an extensionless executable file that was identified as a component of an ESET command line scanner, which the APT mistakenly left on an infected system.
“We believe that the operator, when transferring files to the device, made a mistake in the filename and moved two copies of it. After performing malicious activity, the file with the extension was deleted, while the other one remained in the system,” Kaspersky says.
Kaspersky’s analysis of the extensionless file revealed that it was insecurely loading a system library by first looking for it in its current directory, and then in the system folders.
This allowed attackers to place a malicious version of the DLL in a specific directory so that the tool would load it instead of the legitimate system library, resulting in code execution.
ToddyCat, Kaspersky says, exploited the bug to load TCESB, a tool that could modify “operating system kernel structures to disable notification routines, for example, about a process creation event in the system or a load event”.
The security firm explains that TCESB can identify the Windows kernel version, deploy vulnerable drivers (such as the Dell DBUtilDrv2.sys driver), and fetch payloads that would be executed in memory.
ESET released fixes for CVE-2024-11859 in January and published a security advisory last week, noting that nearly a dozen products are affected and urging users to update to patched iterations.
“This technique did not elevate the privileges, though—the attacker would have already needed to have administrator privileges to perform this attack,” ESET explained.
Active since at least 2020 and believed to be operating out of China, ToddyCat has been targeting various entities in Europe and Asia, including government and military organizations, and telecom providers.
Related: ESET Distributor’s Systems Abused to Deliver Wiper Malware
Related: ESET Patches Privilege Escalation Vulnerabilities in Windows, macOS Products
Related: ESET Patches High-Severity Privilege Escalation Vulnerability
Related: ESET Patches High-Severity Vulnerability in Secure Traffic Scanning Feature
