A newly discovered vulnerability in ESET’s security software has been exploited by the advanced persistent threat (APT) group ToddyCat to stealthily deploy malware, according to a recent report from cybersecurity firm Kaspersky.
The flaw, tracked as CVE-2024-11859, involves DLL search order hijacking, a technique where attackers can manipulate how a program loads its libraries. If an attacker already has administrative access, they can exploit this loophole to load a malicious DLL file instead of the legitimate one, allowing for silent execution of malicious code on the system.
ESET Vulnerability Enables Malware Injection
This critical bug affects several ESET products and was officially patched in January. However, Kaspersky researchers found that the ToddyCat APT group had already been actively using it in real-world attacks. Their goal? To deploy a sophisticated malware tool known as TCESB—a C++-based program capable of evading antivirus tools and OS monitoring systems.
According to Kaspersky, the attackers made a small but telling mistake during one of their operations. They inadvertently left behind an executable without a file extension—later revealed to be a component of the ESET command-line scanner. This remnant helped researchers trace the origin and method of the attack.
“We believe the attacker accidentally uploaded two copies of the file,” Kaspersky stated. “After completing the malicious activity, they deleted the one with the extension, but left the other behind.”
How DLL Hijacking Was Used in the Attack
Analysis showed that the orphaned executable was looking for a specific system DLL in the wrong order—first in its own directory, then in the system directories. This opened the door for attackers to drop a malicious DLL in the local directory, which the executable would unknowingly load, triggering the malware.
Through this method, ToddyCat successfully injected TCESB into infected machines. This tool is highly dangerous, capable of modifying kernel-level functions and disabling system notifications—like alerts for new process creation or DLL loading—making detection incredibly difficult.
TCESB Uses Driver Vulnerabilities to Stay Hidden
Further digging revealed that TCESB can identify the victim’s Windows kernel version and then load vulnerable drivers, such as the widely known Dell DBUtilDrv2.sys, to operate at the kernel level. It then loads additional payloads directly into memory, minimizing traces on disk and evading endpoint detection.
Despite the advanced tactics, the exploit didn’t offer privilege escalation. Attackers needed admin access upfront to deploy the attack, which somewhat limits its use—but makes it all the more dangerous in targeted campaigns where initial access has already been gained.
ESET Urges Immediate Patching
ESET has since published a detailed security advisory, confirming that nearly a dozen of its products were affected. While fixes were rolled out in January 2024, the advisory urges users and system administrators to update immediately to stay protected.
“The vulnerability does not offer privilege escalation,” ESET clarified. “However, it allows for malicious code execution once administrative access has already been achieved.”
