ToddyCat: Malware exploits security vulnerability in antivirus software

While investigating a malware infection on a computer, IT researchers discovered a security vulnerability in antivirus software that attackers misused to execute malicious code. The antivirus protection thus enabled the malware to be executed in the first place.

Kaspersky has published an analysis of the malware. According to this, IT researchers investigating incidents involving the ToddyCat malware came across a suspicious file called “version.dll” in the temporary directory on several devices. It is a 64-bit DLL programmed in C++ that contains a complex tool called TCESB. This was new for ToddyCat attacks and is designed to inconspicuously execute malicious payloads on devices, bypassing protection and monitoring software.

Who executes the DLL?

Such a DLL exports functions and is integrated by another program that calls these functions. While searching for software that integrates and calls this library, Kaspersky's analysts came across a file called “ecls”. A malicious actor probably mistakenly pushed the file onto the system without an extension and deleted only the version with an executable file suffix after the attack. It turned out to be the command line scanner from Eset's endpoint protection, the “Eset Command Line Scanner”.

Further investigation revealed that this scanner loads the “version.dll” library insecurely by first scanning the current directory and then the system directories. This is a classic DLL hijacking vulnerability.

Eset received a vulnerability report from Kaspersky and responded with its security release on the weekend. It is entitled “DLL search order hijacking vulnerability in Eset products for Windows fixed”. In it, Eset acknowledges the vulnerability, but emphasizes that it cannot be used to extend rights in the system, but that attackers must already have admin rights (CVE-2024-11859, CVSS 6.8, risk “medium”). The risk rating just misses the “high” status by a hair's breadth.

Software updates are available, various products from Eset's portfolio are affected. The bug-fixed programs are Eset NOD32 Antivirus, Eset Internet Security, Eset Smart Security Premium, Eset Security Ultimate 18.1.10.0, Eset Endpoint Antivirus for Windows and Eset Endpoint Security for Windows 12.0.2045.0 and 11.1.2059.0, Eset Small Business Security and Eset Safe Server 18.1.10.0, Eset Server Security for Windows Server (previously File Security for Microsoft Windows Server) 11.1.12009.0, Eset Mail Security for Microsoft Exchange Server 11.1.10011.0, 11.0.10010.0, 10.1.10017.0 and finally Eset Security for Microsoft SharePoint Server 11.1.15003.0, 11.0.15007.0, 10.0.15008.0 as well as newer versions. Eset programs that are no longer supported are no longer listed by the manufacturer, so anyone using older versions of the protection software should urgently update to the versions that are still supported.

It is to be expected that antivirus software, like all other programs, occasionally has security vulnerabilities. On Monday this week, for example, a critical vulnerability was discovered in Bitdefender's business protection software GravityZone. However, it is rarely known that attackers actually misuse it to execute malware.

(dmk)