Advanced Persistent Threat (APT) groups are constantly evolving their techniques to evade detection. Kaspersky Labs has recently uncovered a sophisticated method employed by the ToddyCat group: hiding their malicious activity within the context of legitimate security software.
In early 2024, Kasperskyβs investigation into ToddyCat incidents revealed a suspicious file named βversion.dllβ on multiple devices. This file turned out to be a complex tool, identified by Kaspersky as βTrojan.Win64.ToddyCat.aβ and βTrojan.Win64.ToddyCat.b,β and named TCESB. The report states that TCESB is a βcomplex tool called TCESBβ¦designed to stealthily execute payloads in circumvention of protection and monitoring tools installed on the device.β
The TCESB tool utilizes a technique called DLL proxying (Hijack Execution Flow) to execute its malicious code. This involves a malicious DLL exporting all the functions of a legitimate one but, instead of implementing them, redirecting the calls to the original DLL. As the report explains, βBy means of this technique, a malicious DLL exports all functions of a legitimate one, but instead of implementing them, redirects calls to these functions to the original DLL.β This allows the malicious code to run in the context of the legitimate application, effectively hiding its activity.
Kasperskyβs analysis revealed that the ToddyCat attackers exploited a vulnerability (CVE-2024-11859) in ESETβs Command line scanner (ecls.exe) to load the TCESB tool. The ESET scanner insecurely loads the system library βversion.dll,β first checking for it in the current directory before searching in system directories. This weakness allows a malicious DLL, like TCESB, to be loaded instead of the legitimate system library.
The TCESB tool is based on the open-source malware EDRSandBlast and has been modified to extend its functionality. Kasperskyβs research indicates that βThe resulting toolβs capabilities include modifying operating system kernel structures to disable notification routines, for example, about a process creation event in the system or a load event.β TCESB can also determine the Windows kernel version and obtain necessary kernel memory offsets, using either a CSV file or a PDB file from Microsoftβs debug information server. Furthermore, TCESB employs the Bring Your Own Vulnerable Driver (BYOVD) technique by installing a vulnerable driver (Dell DBUtilDrv2.sys) to modify kernel structures.
TCESB waits for a specifically named payload file, decrypts it using AES-128, and executes it.
To detect similar activity, Kaspersky recommends monitoring systems for the installation of drivers with known vulnerabilities (lists of which can be found on the loldrivers project website), monitoring events related to the loading of Windows kernel debug symbols, and checking the digital signatures of all loaded system library files.