A Chinese-affiliated risk artist known for its cyberattacks in Asia has been spotted releasing a previously unreleased malware codenamed TCESB using a security flaw in ESET’s security software.
In an analysis released this week, Kaspersky claimed that [TCESB] is intended to cautiously do payloads in order to circumvent protection and monitoring tools on the device.
A risk activity cluster known as has targeted a number of organizations in Asia, with attacks dating back at least to December 2020.
The malware group’s use of several tools last year was described by the Russian cybersecurity vendor as “industrial scale” and to maintain prolonged access to compromised environments.
Kaspersky claimed that a suspicious DLL file ( “version” ) was discovered during its investigation into ToddyCat-related incidents in early 2024. on a number of devices in the interim directory. It has been discovered that the 64-bit DLL, TCESB, was created by using a method known as Doc Search Order Hijacking to ensnab power over the implementation process.
This is alleged to have been accomplished by exploiting a bug in the , which unintentionally loads a DLL named “version.” “dll” by first checking for the report in the current index and next checking for it in the system files.
At this point, it’s worthwhile to point out that “version.” A legitimate from Microsoft is located in the” C: Windowssystem32″ or” C: WindowsSysWOW64″ directories.
Exploiting this flaw would lead to intruders executing their harmful “version.” dll” as opposed to its authentic rival. ESET the vulnerability in late January 2025 as a result of responsible disclosure, tracked as ( CVSS score: 6.8 ).
In an advisory released last month, ESET stated that the vulnerability might have allowed an attacker with administrator privileges to fill a malignant dynamic-link library and perform its code. Although this approach did not increase the privileges, the attacker would have required executive privileges to carry out this attack.
The Slovak security firm said it fixed versions of its buyer, business, and client security products for Windows to handle the vulnerability in a statement shared with The Hacker News.
TCESB, for its part, is a modified version of an open-source tool called EDRSandBlast that has features that allow individuals to be notified of specific activities, such as process creation or setting a registration key, via alert programs ( also known as calls ).
To install a vulnerable driver, a Dell DBUtilDrv2, TCESB uses another well-known technique known as “bring your own vulnerable driver” ( ). sys driver, accessible through the Device Manager interface in the system. The DBUtilDrv2 A known privilege escalation flaw is found to be in a sys driver.
Not the first time that Dell drivers have been abused in a malicious manner. In 2022, a similar privilege escalation vulnerability ( ) in another Dell driver, dbutil_2_3. Sys was also used by the North Korea-linked Lazarus Group to evade security measures as part of BYOVD attacks.
Once the vulnerable driver is installed in the system, TCESB runs a loop that checks for the presence of a payload file in the current directory every two seconds for the presence of a payload file with a specific name, according to Kaspersky researcher Andrey Gunkin. The payload may not be present at the time the tool is being launched.
Although the payload artifacts themselves are unavailable, further analysis revealed that they were decoded and executed as soon as they appeared in the desired path and were encrypted using AES-128.
It’s suggested to monitor systems for installation events involving drivers with known vulnerabilities, according to Kaspersky,” to detect the activity of such tools.” It’s also worthwhile to keep an eye on events when Windows kernel debug symbols are loaded onto devices where debugging of the operating system kernel is not expected.