A newly identified supply chain attack targeting the popular disc emulation software DAEMON Tools has compromised its official installers to deliver malicious payloads to unsuspecting users, cybersecurity firm Kaspersky has disclosed.
Researchers from Kaspersky reported that the affected installers are distributed directly from the legitimate DAEMON Tools website and bear valid digital signatures belonging to the software’s developers. This discovery underscores the sophisticated nature of the attack, as the malicious files were indistinguishable from genuine software downloads.
Nature of the Breach
According to the Kaspersky report, the incident is classified as a supply chain attack. This type of cyberattack involves infiltrating a trusted third party, such as a software vendor, to distribute malware through legitimate channels. In this case, the attackers managed to replace the authentic DAEMON Tools installer on the official website with a version that contains a hidden malware component.
Kaspersky researchers Igor Kuznetsov, Georgy Kucherin, and Leonid Bezvershenko identified that the trojanized installer, while appearing to function normally, secretly downloads and executes a backdoor on the victim’s machine. This backdoor can allow attackers to steal credentials, capture screenshots, log keystrokes, and execute additional remote commands, providing the threat actors with persistent access to the compromised system.
The compromised installers are signed with digital certificates, a security measure typically intended to assure users that the software has not been tampered with and comes from a verified publisher. The fact that the attackers obtained or abused these certificates indicates a high degree of access to the developer’s internal systems or a successful phishing or credential theft operation aimed at the software supply chain.
Scope and Impact
Kaspersky did not immediately disclose the total number of affected users or the specific timeframe during which the malicious installers were available for download. However, the security researchers emphasized that the attack is significant because it bypasses traditional security checks. Many consumers and businesses trust digitally signed software from official company websites, making supply chain attacks particularly dangerous and difficult to detect.
The researchers noted that the malware used in this campaign is designed to avoid detection by security software. It employs techniques such as process hollowing, in which a legitimate process is launched in a suspended state and its code is replaced with malicious code, and communication with remote command and control servers for data exfiltration. These methods are commonly associated with advanced persistent threat groups.
Users who downloaded and installed DAEMON Tools from the official website over the past several weeks may be at risk. The attackers likely targeted a wide range of users, including gamers, IT professionals, and enterprises that use the software for virtualization or disc imaging tasks.
Response and Mitigation
DAEMON Tools representatives have not issued a public statement as of the time of this report. Kaspersky stated that it has informed the software company about the incident and is cooperating with relevant authorities to mitigate the impact. The security firm has recommended that users who have recently installed DAEMON Tools should check their systems for indicators of compromise and immediately scan their computers with up to date antivirus software.
Kaspersky has published a detailed technical analysis of the attack, including the specific hashes of the malicious installers and the domains used for command and control communications. The researchers advised that organizations should review their software supply chain security practices, including verifying the integrity of downloaded files through checksums and implementing strict application whitelisting policies.
The incident adds to a growing list of supply chain attacks that have compromised trusted software distribution channels in recent years. As attackers increasingly target the software development and distribution pipeline, security experts continue to urge both developers and end users to adopt a zero trust approach to software installations, even when files originate from official sources.
Moving forward, Kaspersky anticipates that law enforcement and cybersecurity agencies will investigate the origins of the attack and the identity of the threat actors. The findings from this investigation could lead to further advisories or security updates for DAEMON Tools users. In the interim, users are advised to remain vigilant and to verify the authenticity of any downloaded software by cross checking publisher information and file hash values against official vendor announcements.
Source: Delimiter
