DAEMON Tools trojanized in supply-chain attack to deploy backdoor

DAEMON Tools Trojanized in Supply-Chain Attack to Deploy Backdoor

Overview

• A sophisticated supply-chain compromise targeted DAEMON Tools installers distributed via the official website, beginning in early April.
• The campaign reached thousands of systems across more than 100 countries, but second-stage payloads were only delivered to about a dozen machines, indicating a highly selective objective.
• Victims span sectors such as retail, scientific, government, and manufacturing, with confirmed activity affecting entities in Russia, Belarus, and Thailand.
• The operation relied on trojanized, digitally signed installers that activated a backdoor on first execution, enabling remote commands and staged payload deployment.

Attack Chain and Timeline

• The attack relied on compromised DAEMON Tools installer packages, signed to appear legitimate, that users downloaded from the official site.
• After execution, the malicious code established persistence and triggered a backdoor at system startup, enabling a command-and-control channel.
• The control server could issue instructions to fetch and execute additional payloads, facilitating a staged infection process.
• The window of discovery spanned nearly a month, during which the backdoor operated while remaining undetected in many environments.

Stage 1: Information Stealer

• The initial malware in the first stage functions as a basic information stealer.
• It collects system details such as hostname, MAC addresses, running processes, installed software, and system locale.
• Collected data is transmitted to operators to profile victims and guide subsequent actions.
• Visuals accompanying the report illustrate the kind of data being exfiltrated in this stage.

Stage 2: Lightweight Backdoor

• In some systems, a second-stage payload is deployed that acts as a lightweight backdoor.
• This backdoor can:
• Accept and execute commands issued by the operator
• Download additional files
• Run code directly in memory, reducing disk footprint and increasing stealth
• The backdoor is designed to operate with minimal footprint while providing dynamic control over the compromised host.

Advanced Variant: QUIC RAT

• In at least one observed deployment targeting a Russian educational institution, the attackers delivered a more advanced malware strain known as QUIC RAT.
• QUIC RAT supports multiple communication protocols and has capabilities to inject malicious code into legitimate processes, enhancing stealth and persistence.

Affected Binaries and Versions

• The trojanized components were found in DAEMON Tools versions ranging from 12.5.0.2421 to 12.5.0.2434.
• The compromised binaries include DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe.
• Upon installation of the tampered package, these binaries trigger the malicious logic embedded within the compromised installers.

Targets and Geographic Reach

• The campaign targeted a broad audience, with early emphasis on spreading widely to mass users.
• Notable secondary targets included high-value organizations across retail, scientific research, government, and manufacturing sectors.
• Geographic focus observed in Russia, Belarus, and Thailand, though the reach extended into many other countries.

Detection and Observations

• Kaspersky researchers described the DAEMON Tools compromise as highly sophisticated, evading detection for nearly a month.
• The operation leveraged legitimate signing to bypass simple security checks, complicating early discovery.
• Analysts emphasize that, given the attacker’s apparent focus on high-value targets, routine audits of machines with DAEMON Tools installed are warranted to identify anomalous cybersecurity activity post-April 8.

Context within a Growing Trend

• Supply-chain and software package attacks have gained momentum this year, with multiple notable incidents affecting update servers, code repositories, and third-party extensions.
• Other named examples this year include incidents involving eScan, Notepad++, CPU-Z, and various package ecosystems, underscoring a broader shift toward targeting trusted software supply chains.
• In this landscape, DAEMON Tools joins a cluster of campaigns where attackers aim to blend into legitimate software delivery streams to achieve broader compromise before elevating to targeted infections.

Technical Takeaways

• The attack chain combined trusted signatures with tampered binaries to gain initial foothold.
• Early-stage data collection supports victim profiling, enabling efficient allocation of limited second-stage payloads to selected targets.
• The presence of a second-stage backdoor capable of in-memory execution and dynamic payload delivery signals a modular, stealthy approach.
• The appearance of QUIC RAT in one deployment demonstrates the potential for rapid escalation and cross-process execution capabilities in select environments.

Ongoing Status

• As of the latest disclosures, the attack remained active, with continuing investigations by security vendors.
• The findings highlight the importance of monitoring for post-install anomalous activity on devices that installed the trojanized DAEMON Tools package.

Closing Notes

• The DAEMON Tools supply-chain incident exemplifies how trusted software channels can be weaponized to deliver backdoors.
• While the broader campaign appears to have relied on broad distribution with selective follow-on payloads, the implications for security across software supply chains remain significant.
• The incident reinforces the need for rigorous validation of software updates, enhanced signing and integrity checks, and vigilant monitoring of systems post-installation of widely used utilities.