DAEMON Tools trojanized in supply-chain attack to deploy backdoor

Hackers trojanized installers for the DAEMON Tools software and since April 8, delivered a backdoor to thousands of systems that downloaded the product from the official website.

The supply-chain attack led to thousands of infections in more than 100 countries. However, second-stage payloads were deployed only to a dozen machines, indicating a targeted attack aimed at high-value targets.

Among the victims receiving next-stage payloads are retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand.

A report today from cybersecurity company Kaspersky notes that the attack is ongoing and that trojanized software includes DAEMON Tools versions from 12.5.0.2421 through 12.5.0.2434, specifically the DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe binaries.

DAEMON Tools is a Windows utility that allows mounting disk image files as virtual drives. The software was extremely popular in the 2000s, especially among gamers and power users, but today its deployment is limited to environments where virtual drive management is required.

As of today, Kaspersky says that the attack is ongoing.

Once unsuspecting users download and execute the digitally signed trojanized installers, they trigger the malicious code embedded in the compromised binaries. The payload establishes persistence and activates a backdoor on system startup.

The server can respond with commands that instruct the system to download and execute additional payloads.

The first-stage malware is a basic information stealer that collects system data, such as hostname, MAC address, running processes, installed software, and system locale, and sends them to the attackers for victim profiling.

Based on the results, some systems receive a second stage, which is a lightweight backdoor that can execute commands, download files, and run code directly in memory.

In at least one case targeting a Russian educational institute, Kaspersky observed the deployment of a more advanced malware strain dubbed QUIC RAT, which supports multiple communication protocols and can inject malicious code into legitimate processes.

BleepingComputer has contacted DAEMON Tools with a request for a comment on the supply chain attack, but we have not heard back by publication.

Kaspersky describes the DAEMON Tools supply-chain attack as a sufficiently sophisticated compromise that evaded detection for almost one month.

“Given the high complexity of the attack, it is paramount for organizations to carefully examine machines that had DAEMON Tools installed, for abnormal cybersecurity-related activities that occurred on or after April 8,” the researchers say.

Although Kaspersky does not attribute the attack to a particular threat actor, based on strings found in the first-stage payload, the researchers believe that the attacker is Chinese speaking.

Since the beginning of the year, software supply-chain attacks have been detected almost every month: eScan in January, Notepad++ in February, CPU-Z in April, and DAEMON Tools this month.

Similar attacks targeting code repositories, packages, and extensions have been even more prevalent this year, with Trivy, Checkmarx, and the Glassworm campaigns being among the most prominent.