Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

More than 70 organizations in several sectors aimed at Chinese Cyber ​​Spying Group

June 9, 2025

Two different botnets exploit the vulnerability of the WAZUH server to launch attacks based on peaceful

June 9, 2025

Think what your IDP or CASB covers the shadow? These 5 risks prove differently

June 9, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » The new malicious TCESB software is found in active attacks that exploit ESET security scanner
Global Security

The new malicious TCESB software is found in active attacks that exploit ESET security scanner

AdminBy AdminApril 9, 2025No Comments4 Mins Read
TCESB Malware
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


09 April 2025Red LakshmananSecurity / vulnerability Windows

TCESB malicious software

The actor associated with the Chinese threat, known for its cyber attacks in Asia, who uses security deficiencies in ESET safety to deliver previously undocumented malware called codes Tceb.

“Previously invisible in Toddycat Attacks (TCESB) is designed for care – Note In an analysis published this week.

Melt This is the name given to the threatening activity cluster, which sent several organizations in Asia, with attacks concerning at least December 2020.

Last year’s supplier of Russian cybersecurity minute The use of different group tools to maintain permanent access to the violated conditions and harvest data on an “industrial scale” from organizations located in the Asia-Pacific region.

Cybersecurity

Kaspersky said that at the beginning of 2024, in the early 2024, in the early 2024, the DLL file (“Version.dll”) revealed on several devices on several devices on several devices on several devices. It has been found to be 64-bit Dll, TCESB launched by a technique called Consent for order search Dll To grab control over the flow of execution.

This, in turn, was achieved by using a disadvantage in Command line scanner esetWhich is uncertainly loading a DLL called “Version.dll”, first checking the file in the current directory and then checking it in the system catalogs.

At this point, it should be noted that “version.dll“Legally Check version and File Setting Library With Microsoft, which is in the C: \ Windows \ System32 \ “or” C: \ Windows \ Syswow64 \ “.

The investigation of the operation of this gap is that the attackers could execute their malicious version of “Version.dll” as opposed to a legitimate colleague. Vulnerability tracked as Cve-2024-11859 (CVSS’s assessment: 6.8) was fixed From ESET in late January 2025 after a responsible disclosure of information.

TCESB malicious software

“The vulnerability potentially allowed the attacker with the privileges of the administrator to load the malicious dynamic communication library and execute his code,” ESET – Note In a consultative issue released last week. “This technique did not exalted the privileges – the attacker would already need to have the administrator’s privileges to fulfill this attack.”

In a statement shared with Hacker News, Slivak Cybersecurity said it had released fixed assemblies of its consumers, business and security products for Windows operating system to address vulnerability.

TCESB, for its part, -the modified version of an open source tool called Edrsandblast, which includes features to change the nucleus core structure for disconnecting procedures (it appeals) that are designed to allow drivers to report certain events such as creating processes or registry setting.

Cybersecurity

To remove this, TCESB uses another famous technique called your own vulnerable driver (Byovd) To install a vulnerable driver, Dell Dbutildrv2.Sys driver, in the system through the device manager. Dbutildrv2.Sys driver is sensitive to the famous deficiency of privileges, tracked as Cve-2011-36276.

These are not the first Dell drivers abused for malicious purposes. In 2022, a similar vulnerability escalation of privileges (Cve-2011-2151) In another driver Dell, Dbutil_2_3.Sys, also was exploited As part of the BYOVD attacks from North Korea associated with Lazarus Group to exclude security mechanisms.

“Once the vulnerable driver is installed on the system, TCESB launches a cycle in which it checks every two seconds the availability of a useful load with a specific name in the current directory – a useful load cannot be present at the time of the tool launch,” said Kaspersky researcher Andrei Gunkin.

While the artifacts themselves are unavailable, further analysis determined that they are encrypted with AES-128 and that they are deciphered and performed as soon as they appear on the given path.

“To identify the activity of such tools, it is recommended to control the installation systems that include drivers with famous vulnerabilities,” Kaspersky said. “You should also monitor the events related to the Windows core debug on devices where the operating system is not expected.”

Found this article interesting? Keep track of us further Youter  and LinkedIn To read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

More than 70 organizations in several sectors aimed at Chinese Cyber ​​Spying Group

June 9, 2025

Two different botnets exploit the vulnerability of the WAZUH server to launch attacks based on peaceful

June 9, 2025

Think what your IDP or CASB covers the shadow? These 5 risks prove differently

June 9, 2025

Openai prohibits chatgpt accounts used by Russian, Iranian and Chinese hacking groups

June 9, 2025

Operation malicious network supply software gets to NPM and Pypi ecosystems, focusing on millions worldwide

June 8, 2025

Extension of the malicious browser has infected 722 users across Latin America since the beginning of 2025

June 8, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

More than 70 organizations in several sectors aimed at Chinese Cyber ​​Spying Group

June 9, 2025

Two different botnets exploit the vulnerability of the WAZUH server to launch attacks based on peaceful

June 9, 2025

Think what your IDP or CASB covers the shadow? These 5 risks prove differently

June 9, 2025

Openai prohibits chatgpt accounts used by Russian, Iranian and Chinese hacking groups

June 9, 2025

Operation malicious network supply software gets to NPM and Pypi ecosystems, focusing on millions worldwide

June 8, 2025

Extension of the malicious browser has infected 722 users across Latin America since the beginning of 2025

June 8, 2025

New company Atomic MacOS Campation Exploaits Clickfix to focus on Apple users

June 6, 2025

Microsoft helps CBI disassemble the Indian Centers for Japanese Technical Support

June 6, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

More than 70 organizations in several sectors aimed at Chinese Cyber ​​Spying Group

June 9, 2025

Two different botnets exploit the vulnerability of the WAZUH server to launch attacks based on peaceful

June 9, 2025

Think what your IDP or CASB covers the shadow? These 5 risks prove differently

June 9, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.