Daemon Tools app backdoored in monthlong supply-chain attack
▼ Summary
– A supply-chain attack on Daemon Tools pushed malicious updates from the developer’s servers from April 8, affecting signed installers for Windows versions 12.5.0.2421 through 12.5.0.2434.
– The initial payload collects system data like MAC addresses and running processes, sending it to an attacker server, with about 12 targeted organizations receiving a follow-on payload.
– Thousands of machines in over 100 countries were infected, with select retail, scientific, government, and manufacturing organizations specifically targeted.
– This attack is similar to past compromises like CCleaner and SolarWinds, which are hard to defend against because they use digitally signed updates from official channels.
– Kaspersky noted the attack’s sophistication, comparing its month-long detection time to the 2023 3CX attack, and urged organizations to check systems for abnormal activity since April 8.
The widely used disk-mounting utility Daemon Tools has been compromised in a monthlong supply-chain attack, with malicious updates distributed directly from its developer’s servers since April 8, according to researchers at Kaspersky. The security firm disclosed Tuesday that the attack remained active as of its public report.
Installers signed with the developer’s official digital certificate, downloaded from the legitimate website, infect Daemon Tools executables with malware that executes at system boot. While Kaspersky did not explicitly specify, technical details indicate only Windows versions are affected. The compromised builds span versions 12.5.0.2421 through 12.5.0.2434. Neither Kaspersky nor developer AVB could be reached for immediate comment.
These attacks are notoriously hard to defend against because users become infected simply by installing digitally signed updates from official channels. In this case, the initial payload collects MAC addresses, hostnames, DNS domain names, running processes, installed software, and system locales, then transmits them to an attacker-controlled server. Thousands of machines across more than 100 countries were targeted. Among them, roughly 12 devices belonging to organizations in retail, scientific, government, and manufacturing sectors received a second-stage payload, suggesting a targeted, selective operation.
This incident joins a troubling lineage of supply-chain compromises, including the 2017 CCleaner poisoning, the 2020 SolarWinds breach, and the 2023 3CX VoIP client attack. In each case, weeks or months passed before the compromised update channels were uncovered. Kaspersky researchers noted that the Daemon Tools attack demonstrates “highly sophisticated” orchestration, with a detection time of about one month comparable to the 3CX incident. They urged organizations to carefully examine any machines that had Daemon Tools installed, looking for abnormal cybersecurity-related activity on or after April 8.
(Source: Ars Technica)
