PipeMagic Trojan Exploits CLFS Flaw in Windows for Ransomware Attacks
April 9, 2025Gafgyt aka Bashlite Malware – Active IOCs
April 9, 2025PipeMagic Trojan Exploits CLFS Flaw in Windows for Ransomware Attacks
April 9, 2025Gafgyt aka Bashlite Malware – Active IOCs
April 9, 2025Severity
High
Analysis Summary
A Chinese-affiliated threat actor known as ToddyCat has been observed exploiting a vulnerability in ESET’s security software to deploy a previously undocumented malware called TCESB, according to security firm. Active since at least December 2020, ToddyCat has targeted entities across Asia, focusing on large-scale data theft and persistent access.
In early 2024, researchers discovered a suspicious DLL file ("version.dll") in the temp directories of compromised devices. TCESB is a 64-bit DLL launched through DLL Search Order Hijacking by exploiting a flaw in ESET’s Command Line Scanner, which insecurely loads "version.dll" from the current directory instead of the system directory. This flaw, tracked as CVE-2024-11859 having medium severity impact, allowed attackers with administrator privileges to execute malicious code. ESET patched the vulnerability in January 2025.
TCESB is based on the open-source tool EDRSandBlast and is designed to stealthily bypass monitoring tools by altering operating system kernel structures. It uses a known technique called Bring Your Own Vulnerable Driver (BYOVD) to install a vulnerable Dell driver (DBUtilDrv2.sys), which is susceptible to privilege escalation (CVE-2021-36276). This enables TCESB to disable security notifications at the kernel level.
Once the vulnerable driver is installed, TCESB continuously checks for a specific encrypted payload file. When detected, the payload is decrypted using AES-128 and executed.
Kaspersky advises monitoring systems for suspicious driver installation events and unexpected loading of Windows kernel debug symbols as a way to detect such threats. This attack highlights the ongoing risks associated with vulnerable drivers and DLL hijacking techniques in advanced persistent threat (APT) operations.
Impact
- Data Theft
- Code Execution
- Privilege Escalation
Indicators of Compromise
MD5
- dacb62578b3ea191ea37486d15f4f83c
SHA-256
- 2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8
SHA1
- 90a76945fd2fa45fab2b7bcfdaf6563595f94891
Remediation
- Update ESET products to the latest version to ensure the vulnerability is patched.
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Regularly monitor systems for unauthorized installation of drivers, especially those with known vulnerabilities.
- Implement strict access controls to limit administrative privileges, reducing the risk of exploitation.
- Educate users about the dangers of downloading and executing untrusted files to prevent initial compromise.
- Utilize endpoint detection and response (EDR) solutions to identify and mitigate suspicious activities promptly.
- Regularly back up critical data and ensure backups are stored securely to facilitate recovery in case of an attack