DAEMON Tools Breach Confirmed by Disc Soft Limited
Disc Soft Limited, the maker of DAEMON Tools Lite, confirmed that the software had been trojanized in a supply chain attack and released a new, malware-free version. The company stated that within less than 12 hours of identifying the issue, they were able to implement a solution.
According to Disc Soft, the issue was limited to the free DAEMON Tools Lite version and did not affect any of their other products. The company has not identified evidence supporting claims that all DAEMON Tools users were impacted, and at this stage, they are not in a position to confirm any impact on paid versions customers.
Investigation and Response
Disc Soft has secured its infrastructure and is continuing to investigate the incident. The company has yet to attribute the attack to a specific threat actor or share additional information about the breach, including the attack vector used to access its systems.
A separate statement published by Disc Soft earlier today stated that following an internal investigation, they identified unauthorized interference within their infrastructure. As a result, certain installation packages were impacted within their build environment and were released in a compromised state.
Impact and Mitigation
Version 12.6 of DAEMON Tools Lite, which does not contain the suspected compromised files, was released on May 5. Users who downloaded or installed DAEMON Tools Lite version 12.5.1 (free) since April 8 are advised to uninstall the app, run a full system scan using security or antivirus software, and install the latest version of DAEMON Tools Lite (12.6) from the official website.
Disc Soft has removed the trojanized version, which is no longer supported, and now displays a warning prompting users to install the latest version of DAEMON Tools Lite.
Attack Details
According to cybersecurity company Kaspersky, hackers trojanized DAEMON Tools Lite installers and used them to backdoor thousands of systems from more than 100 countries that downloaded the software from the official website since April 8. After the unsuspecting users executed the digitally signed trojanized installers (versions ranging from 12.5.0.2421 to 12.5.0.2434), the malicious code embedded in the compromised binaries deployed a payload designed to establish persistence and activate a backdoor on system startup.
The first-stage malware dropped in the attack was a basic information stealer that collected system data (including hostname, MAC address, running processes, installed software, and system locale) and sent it to attacker-controlled servers for victim profiling. Based on the results, some of the infected systems received a second stage, a lightweight backdoor that can execute commands, download files, and run code directly in memory.
Victims and Malware
In at least one case, Kaspersky observed the deployment of a QUIC RAT malware, which can inject malicious code into legitimate processes and supports multiple communication protocols. While investigating the attack, Kaspersky found that retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand, as well as home users in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China, were among the victims whose devices were infected with malicious payloads.
Today, in an update to the original report, the Russian cybersecurity company confirmed that DAEMON Tools Lite 12.6.0, released yesterday, no longer exhibits malicious behavior.
Following disclosure, the vendor acknowledged the issue and published a new version of the software to address it. The updated DAEMON Tools version 12.6.0.2445 no longer shows the malicious behavior.
Kaspersky said.
Source: BleepingComputer