A dangerous cyber group called ToddyCat, linked to China, has been using a serious bug in ESET antivirus software to launch malicious attacks. Antivirus software is designed to protect computers from viruses and hackers, but in this case, a flaw in the system has opened the door for attackers to sneak in harmful programs.
The bug, known as CVE-2024-11859, involves something called DLL search order hijacking. This sounds complex, but it’s simple to understand.
When ESET antivirus runs certain tools, they need help from small files called DLLs. These files act like instruction guides for programs. Normally, the tools should look for these files in safe, trusted folders. But in this case, the ESET tool first checks the folder it is running from.
Hackers use this to their advantage. They place a fake, harmful DLL file in that folder. The tool then picks up the bad file instead of the real one. It runs the malicious file, thinking it’s safe.
Critical Vulnerabilities: The Dark Side of Pacemaker Technology
The problem was discovered last year by cybersecurity researchers at Kaspersky. ESET released a fix for the flaw in January 2024. However, not every user or business installs updates right away, and ToddyCat has taken advantage of this delay to carry out secret attacks on vulnerable systems.
How Do the Hackers Use It?
ToddyCat’s method isn’t something a beginner hacker could pull off. It requires the attacker to already have high-level access to the computer system they want to target. That means this isn’t just a random virus that spreads through emails or downloads. Instead, hackers use it in more advanced cyberattacks after they gain access to a network and want to stay hidden while causing more damage.
Once inside a system, ToddyCat places a file called version.dll in a temporary folder. Because of the bug, when ESET’s Command Line Scanner is launched, it sees this file and loads it, thinking it’s a safe system file. But this version.dll is actually a harmful file that starts a chain reaction.
The loaded file runs a special type of malware called TCESB. It is written in the C++ programming language. Once it starts, TCESB checks which version of Windows is running. Then it turns off alerts that would normally warn users about strange activity.
Next, it installs a weak piece of software called a vulnerable driver. This helps the malware hide from security tools.
After that, TCESB launches one last harmful file. This part is especially worrying. Researchers don’t know what it does because they couldn’t get a sample of it.
Cybersecurity researchers noticed this behavior while investigating ToddyCat’s past attacks. Researchers found the version.dll file on multiple infected computers. ToddyCat had never used this file before, which shows the group constantly searches for new ways to bypass security systems. The attackers clearly designed the file to perform its tasks quietly without triggering any red flags on the infected computers.
Cyber Attacks on Connected Cars
Which ESET Products Are Affected?
The bug affects many different versions of ESET antivirus software, including both consumer and business products. This means that it’s not just home computers that are at risk, but also office computers and even servers used in large companies.
Kaspersky has released special indicators of compromise (IoCs) to help organizations check whether hackers have targeted them. These IoCs reveal signs of infection, such as suspicious files or actions performed by the malware. Kaspersky recommends checking for unknown files like version.dll and examining installed drivers for known vulnerabilities or outdated versions.
This situation is a strong reminder that keeping software updated is one of the most important steps in staying safe from cyberattacks. Even trusted programs like antivirus tools can become dangerous if flaws aren’t fixed and updates aren’t applied quickly.
