CVE-2024-11859

Name of the Vulnerable Software and Affected Versions ESET Command Line Scanner (affected versions not specified)

Description The ESET Command Line Scanner contains a DLL search order hijacking issue related to the loading of the version.dll library. This allows an attacker with administrator privileges to load a malicious dynamic-link library and execute its code. The ToddyCat APT group has been actively exploiting this issue, deploying malware such as TCESB, by replacing the legitimate version.dll with a malicious one. TCESB utilizes techniques to bypass security measures, including disabling security notifications and exploiting vulnerable drivers to gain kernel-level access. The malware is capable of stealing Outlook emails, browser credentials, and Microsoft 365 access tokens. The exploitation involves DLL proxying, where the malicious DLL exports the functions of the legitimate DLL while executing malicious code in the background. The attackers are also using tools like TCSectorCopy to access corporate email and SharpTokenFinder to obtain authentication tokens.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.