{"id":2667,"date":"2025-04-08T11:54:39","date_gmt":"2025-04-08T11:54:39","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2667"},"modified":"2025-04-08T11:54:39","modified_gmt":"2025-04-08T11:54:39","slug":"chinese-toddycat-abuses-eset-antivirus-bug-for-malicious-activities","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2667","title":{"rendered":"Chinese ToddyCat abuses ESET antivirus bug for malicious activities"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

China-backed APT group ToddyCat has been found exploiting a medium-severity vulnerability in ESET antivirus software to sneak malicious code onto vulnerable systems.<\/p>\n

Tracked as CVE-2024-11859, the flaw is a dynamic link library (DLL<\/a>) search order hijacking vulnerability discovered and reported by Kaspersky last year, with a fix issued by ESET in January.<\/p>\n

\u201cOn systems with an affected ESET product installed, an attacker could plant a malicious dynamic-link library to a specific folder and execute its content by running ESET Command Line Scanner, which would load the planted library instead of the intended system library,\u201d ESET said in an advisory<\/a>.<\/p>\n

The company is urging customers using its consumer, business, and server security products to upgrade to a fixed build of the antivirus.<\/p>\n

<\/a>Tricking malicious DLL execution<\/h2>\n

CVE-2024-11859 is a CVSS 6.8\/10 flaw stemming from the way one of ESET\u2019s antivirus tools (command line scanner) loads a requested DLL. Instead of looking for the DLL in a trusted system directory, the tool starts by looking in the current directory, a fact being abused to plant DLL with malicious codes for execution.<\/p>\n

To exploit the flaw, however, the attacker needs to have administrative-level privileges on the targeted system.<\/p>\n

ToddyCat was found exploiting this flaw in its campaigns since early 2024, using it to plant a 64-bit DLL containing the \u201cTCESB\u201d malware written in C++, Kaspersky said in a blog post<\/a>.<\/p>\n

\u201cWhile investigating ToddyCat-related incidents, we detected a suspicious file named version.dll in the temp directory on multiple devices,\u201d Kaspersky said. \u201cPreviously unseen in ToddyCat attacks, it is designed to stealthily execute payloads in circumvention of protection and monitoring tools installed on the device.\u201d<\/p>\n

Once executed, TCESB reads the running kernel version and disables notification routines, installs a vulnerable driver for defense evasion, and launches the final payload that Kaspersky was unable to obtain samples of.<\/p>\n

<\/a>A range of affected products<\/h2>\n

The flaw affects all of ESET offerings with the command line scanner which includes an array of products used by power users, IT admins, and enterprise environments.<\/p>\n

According to the advisory, the affected antivirus versions include ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security Premium, and ESET Security Ultimate 18.0.12.0 and earlier. Affected Windows offerings include Endpoint Antivirus for Windows and Endpoint Security for Windows 12.0.2038.0 and earlier.<\/p>\n

Affected Enterprise offerings include ESET Small Business Security and ESET Safe Server 18.0.12 and earlier. All affected versions have been fixed in the respective latest upgrades. Kaspersky has shared indicators of compromise (IoC) to help detect traces of ToddyCat activities. \u201cTo detect the activity of such tools, it\u2019s recommended to monitor systems for installation events involving drivers with known vulnerabilities.\u201d Using operating system tools to check all loaded system library files for the presence of malicious files, like version.dll, was also recommended.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

China-backed APT group ToddyCat has been found exploiting a medium-severity vulnerability in ESET antivirus software to sneak malicious code onto vulnerable systems. Tracked as CVE-2024-11859, the flaw is a dynamic link library (DLL) search order hijacking vulnerability discovered and reported by Kaspersky last year, with a fix issued by ESET in January. \u201cOn systems with […]<\/p>\n","protected":false},"author":0,"featured_media":2668,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2667","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2667"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2667"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2667\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2668"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2667"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2667"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2667"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}