TCESB is based on the open-source tool EDRSandBlast and is designed to stealthily bypass monitoring tools by altering operating system kernel structures. It uses a known technique called Bring Your Own Vulnerable Driver (BYOVD) to install a vulnerable Dell driver (DBUtilDrv2.sys), which is susceptible to privilege escalation (CVE-2021-36276). This enables TCESB to disable security notifications at the kernel level.

Once the vulnerable driver is installed, TCESB continuously checks for a specific encrypted payload file. When detected, the payload is decrypted using AES-128 and executed.

Kaspersky advises monitoring systems for suspicious driver installation events and unexpected loading of Windows kernel debug symbols as a way to detect such threats. This attack highlights the ongoing risks associated with vulnerable drivers and DLL hijacking techniques in advanced persistent threat (APT) operations.

Impact

• Data Theft
• Code Execution
• Privilege Escalation

Indicators of Compromise

MD5

• dacb62578b3ea191ea37486d15f4f83c

SHA-256

• 2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8

SHA1

• 90a76945fd2fa45fab2b7bcfdaf6563595f94891

Remediation

• Update ESET products to the latest version to ensure the vulnerability is patched.
• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly monitor systems for unauthorized installation of drivers, especially those with known vulnerabilities.
• Implement strict access controls to limit administrative privileges, reducing the risk of exploitation.
• Educate users about the dangers of downloading and executing untrusted files to prevent initial compromise.
• Utilize endpoint detection and response (EDR) solutions to identify and mitigate suspicious activities promptly.
• Regularly back up critical data and ensure backups are stored securely to facilitate recovery in case of an attack