Widely used Daemon Tools disk application hijacked in month-long supply chain attack

Daemon Tools, an application widely used for mounting disk images, was backdoored as part of a months-long compromise that pushed malicious updates to its developer's servers, researchers said Tuesday.

Kaspersky, the security company that reported the supply chain attack, said it began on April 8 and remained active until its post went live. Installers signed by the developer's official digital certificate and downloaded from its website infect Daemon Tools executables, causing the malware to run at boot time. Kaspersky didn't say this explicitly, but based on the technical details, the infected versions appear to be only those running Windows. Versions 12.5.0.2421 to 12.5.0.2434 are affected. Neither Kaspersky nor developer AVB could immediately be contacted for further details.

Difficult to defend yourself

Infected versions contain an initial payload that collects MAC addresses, hostnames, DNS domain names, running processes, installed software, and system locales. The malware sends them to a server controlled by an attacker. Thousands of machines in more than 100 countries have been targeted. Among the many infected machines, approximately 12 of them, belonging to retail, scientific, government, and manufacturing organizations, received a tracking payload, indicating that the supply chain attack is targeting selected groups.

This incident is just the latest attack on the supply chain. Other such attacks include the poisoning of the Windows utility CCleaner in 2017, the Solar Winds application management software for businesses in 2020, and the 3CX VoIP client in 2023. Such attacks are difficult to defend because users are infected when they do nothing other than install digitally signed updates available through official channels. In all three cases, it took weeks or months before the compromised update distribution channels were discovered.

“Based on our long experience in analyzing supply chain attacks, we can conclude that the attackers orchestrated the compromise of DAEMON Tools in a very sophisticated manner,” Kaspersky researchers wrote. “For example, the time it took to detect this attack, which turned out to be approximately one month, is comparable to the 3CX supply chain attack that we studied with the cybersecurity community in 2023. Given the high complexity of the attack, it is paramount that organizations carefully examine the machines on which DAEMON Tools is installed, to detect any abnormal cybersecurity-related activity that occurred on or after April 8.