DAEMON Tools devs confirm breach, release malware-free version
Disc Soft Limited, the maker of DAEMON Tools Lite, confirmed that the software had been trojanized in a supply chain attack and released a new, malware-free version.
“Within less than 12 hours of identifying the issue, we were able to implement a solution. Based on our current findings, the issue was limited to the free DAEMON Tools Lite version and did not affect any of our other products,” Disc Soft told BleepingComputer.
“We have not identified evidence supporting claims that all DAEMON Tools users were impacted, and at this stage, we are not in a position to confirm any impact on paid versions customers. Our current analysis indicates that DAEMON Tools Pro and DAEMON Tools Ultra were not affected and absolutely safe.”
In a separate statement published earlier today, Disc Soft also said it has secured its infrastructure. Still, it has yet to attribute the attack to a specific threat actor or share additional information about the breach, including the attack vector used to access its systems, as it continues to investigate the incident.
“Following an internal investigation, we identified unauthorized interference within our infrastructure. As a result, certain installation packages were impacted within our build environment and were released in a compromised state. Version 12.6 of DAEMON Tools Lite, which does not contain the suspected compromised files, was released on May 5.” the company said.
“Users of other DAEMON Tools products, including paid versions of DAEMON Tools Lite, DAEMON Tools Ultra, and DAEMON Tools Pro are not affected by this incident and can continue using their software as usual.”
Users who downloaded or installed DAEMON Tools Lite version 12.5.1 (free) since April 8 are advised to uninstall the app, run a full system scan using security or antivirus software, and install the latest version of DAEMON Tools Lite (12.6) from the official website.
Disc Soft has removed the trojanized version, which is no longer supported, and now displays a warning prompting users to install the latest version of DAEMON Tools Lite.
As cybersecurity company Kaspersky revealed on Tuesday, hackers trojanized DAEMON Tools Lite installers and used them to backdoor thousands of systems from more than 100 countries that downloaded the software from the official website since April 8.
After the unsuspecting users executed the digitally signed trojanized installers (versions ranging from 12.5.0.2421 to 12.5.0.2434), the malicious code embedded in the compromised binaries deployed a payload designed to establish persistence and activate a backdoor on system startup.
The first-stage malware dropped in the attack was a basic information stealer that collected system data (including hostname, MAC address, running processes, installed software, and system locale) and sent it to attacker-controlled servers for victim profiling. Based on the results, some of the infected systems received a second stage, a lightweight backdoor that can execute commands, download files, and run code directly in memory.
In at least one case, Kaspersky observed the deployment of a QUIC RAT malware, which can inject malicious code into legitimate processes and supports multiple communication protocols.
While investigating the attack, Kaspersky found that retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand, as well as home users in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China, were among the victims whose devices were infected with malicious payloads.
Today, in an update to the original report, the Russian cybersecurity company confirmed that DAEMON Tools Lite 12.6.0, released yesterday, no longer exhibits malicious behavior.
“Following disclosure, the vendor acknowledged the issue and published a new version of the software to address it,” Kaspersky said. “The updated DAEMON Tools version 12.6.0.2445 no longer shows the malicious behavior.”
Update May 06, 14:09 EDT: Added Disc Soft statement.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
