To hide their activity in infected systems, APT groups resort to various techniques to bypass defenses. Most of these techniques are well known and detectable by both EPP solutions and EDR threat-monitoring and response tools. For example, to hide their activity in Windows systems, cybercriminals can use kernel-level rootkits, in particular malicious drivers. However, in the latest versions of Windows, kernel-mode drivers are loaded only if digitally signed by Microsoft. Attackers get round this protection mechanism by using legitimate drivers that have the right signature, but contain vulnerable functions that allow malicious actions in the context of the kernel. Monitoring tools track the installation of such drivers and check applications that perform it. But what if a security solution performs unsafe activity? Such software enjoys the trust of monitoring tools and doesn’t raise suspicions.
And that’s precisely what ToddyCat attackers exploited by running their tool in the context of a security solution.
Detection
In early 2024, while investigating ToddyCat-related incidents, we detected a suspicious file named
version.dll in the temp directory on multiple devices.This 64-bit DLL, written in C++, turned out to be a complex tool called TCESB. Previously unseen in ToddyCat attacks, it is designed to stealthily execute payloads in circumvention of protection and monitoring tools installed on the device.
Kaspersky products detect this tool as
Trojan.Win64.ToddyCat.a, Trojan.Win64.ToddyCat.b.Loading the tool
DLL proxying
Static analysis of the DLL library showed that all functions exported by it import functions with the same names from the system file
version.dll (Version Checking and File Installation Libraries).toddycat tried behind software
