In 2024, cybersecurity experts at Kaspersky discovered a new cyber hacking tool that is used by a group, called ToddyCat. The tool name is TCESB which is a type of malware hidden inside a file called version.dll. It’s created to secretly run harmful software on infected Windows computers without being noticed by antivirus or security tools.
The hackers used a DLL proxying technique for malicious code proxying. Windows programs use DLLs file which is a special file to work properly. If a program loads a fake DLL (created by hackers), that fake DLL can run malicious code in the background while the program continues to work normally.
The security program that was tricked is called ESET Command-line Scanner. It had a vulnerability (now known as CVE-2024-11859) that caused it to load version.dll from the wrong location, the same folder the malware was hiding. Because this was a trusted program, it did not raise any alarms when the fake DLL was loaded.
Once inside the system, TCESB goes deeper. It disables important Windows features that normally alert security software when new programs start or when system files are loaded. This makes it even harder to detect.
TCESB first checks what version of Windows it’s running on. It uses built-in files to find out where important system information is stored in memory. If it can not find what it needs, it downloads a file (called a PDB file) from Microsoft’s servers to figure it out.
Then it uses another trick known as BYOVD (Bring Your Vulnerable Driver). This means it installs an old, known-to-be-vulnerable driver. In this case, a Dell driver named DBUtilDrv2.sys (with vulnerability CVE-2021-36276). This driver allows the malware to change Windows’ core memory, letting it turn off security features.
TCESB then sits quietly and waits for a payload file (the actual malware) to appear in its folder. These payload files are named such as kesp or ecore and do not have extensions like .exe. They are encrypted using a method which is called AES-128, and the decryption key is included in the first 32 bytes of the file. Once found, TCESB decrypts the payload and runs it secretly in memory.
The tool also builds a log file that records all the steps it takes and also helps the attackers know if everything worked.
Key takeaways:
ToddyCat is used as a trusted security tool to run malware and avoid any detection.
They mostly use a fake DLL (version.dll) and tricked the ESET scanner into loading it.
The malware deactivates security alerts and uses a vulnerable Dell driver to dig deeper into Windows.
It waits to load its actual malicious code in the system from an encrypted file.
These techniques help to manage the malware to stay hidden for longer.
To defend against tools including TCESB, experts recommend checking for old or vulnerable drivers, monitoring for unexpected symbol downloads (used for debugging), and making sure system files are properly signed and located.
Found this article interesting? Follow us on X and LinkedIn to read more exclusive content we post.
