How ToddyCat tried to hide behind AV software

SUMMARY :

The ToddyCat APT group has developed a sophisticated tool called TCESB to stealthily execute payloads and evade detection. This tool exploits a vulnerability (CVE-2024-11859) in ESET Command line scanner for DLL proxying, using a modified version of the open-source EDRSandBlast malware. TCESB employs techniques like DLL proxying, kernel memory manipulation, and Bring Your Own Vulnerable Driver (BYOVD) to bypass security solutions. It searches for kernel structure addresses using CSV or PDB files, installs a vulnerable Dell driver, and decrypts AES-128 encrypted payloads. The discovery highlights the need for monitoring driver installations and Windows kernel debug symbol loading events to detect such sophisticated attacks.

OPENCTI LABELS :

byovd,kernel manipulation,dll proxying,cve-2021-36276,tcesb,cve-2024-11859,eset,edrsandblast


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


How ToddyCat tried to hide behind AV software