Remember DAEMON Tools? It Was Hacked to Serve Windows Malware

Exploits

A hacker circulated malware undetected for nearly a month by hijacking downloads for DAEMON Tools, a once-popular software program to run virtual CD and DVD drive files. 

DAEMON Tools confirmed the incident today after antivirus provider Kaspersky observed “several thousands of infection attempts” involving the virtual mounting software. “At the time of writing this article, the supply chain attack is still active,” Kaspersky wrote on Tuesday.

Kaspersky discovered a hacker had been delivering malicious versions of DAEMON Tools Lite starting on April 8 through the official vendor site at daemon-tools.cc. Affected versions range from 12.5.0.2421 to 12.5.0.2434. The installers came with three .exe programs that have been rigged to deliver a backdoor to a Windows PC. (DAEMON Tools Lite has only been on Windows 10 or later starting with version 12.4.)

Following Kaspersky’s report, DAEMON Tools said it “identified unauthorized interference within our infrastructure, [and] as a result, certain installation packages were impacted within our build environment and were released in a compromised state.”

the software

(Credit: AVB Disc Soft)

This suggests the hacker infiltrated the IT systems of DAEMON Tools’ developer, Latvian software provider AVB Disc Soft. Kaspersky noted that the malicious versions of the program were digitally signed by the developer and discovered signs that a Chinese-speaking hacker is behind the attack. 

In response, DAEMON Tools said it removed all the potentially compromised files and started vetting all its internal processes. A new, malware-free version of DAEMON Tools Lite, 12.6, was also released on Tuesday. “We would also like to emphasize that this incident did not affect other products developed by Disc Soft Limited. DAEMON Tools Ultra, DAEMON Tools Pro, and all other products remain fully operational and safe to use,” the company says.

It’s unclear how the hacker infiltrated Disc Soft’s systems. For now, DAEMON Tools says: “Our investigation is ongoing as we continue to analyze the root cause and full scope of the incident. At this stage, we are not attributing the incident to any specific third party. We are carefully reviewing all components of our infrastructure to ensure a complete and accurate understanding of what occurred.”

The attack was effective enough to spread malware to users and organizations based in more than 100 countries, according to Kaspersky’s antivirus data. The majority of the victims were based in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. (In 2024, the US banned Kaspersky software.)

Recommended by Our Editors

CPUID site
Hacker Hijacks Downloads for Popular PC-Monitoring Tools to Serve Malware
malware image
Malware Hidden in Pirated Games Infects 400,000 Devices
Ubuntu canonical
Pro-Iran Hackers Hit Ubuntu’s Canonical With DDoS, Float Extortion Demand

“However, out of all the machines infected, we have observed further-stage payloads being deployed to only a dozen of them,” Kaspersky added. “These machines that received further payloads belonged to retail, scientific, government, and manufacturing organizations—and this indicates that the supply chain attack has a targeted manner.”

For affected users, DAEMON TOOLs is urging victims to uninstall the Trojanized program and “run a full system scan using trusted security or antivirus software.” Kaspersky noted its own antivirus can detect and flag the malware. Users can also consider the nuclear option: reinstalling Windows.

The DAEMON Tools hack is the latest software “supply chain attack,” in which tampered software packages spread a malicious download to numerous users. Last month, a hacker also briefly hijacked downloads for PC-monitoring tools CPU-Z and HWMonitor.

About Our Expert

 

BladeOne
BladeOne

Latest articles

Previous article
DAEMON Tools devs confirm breach, release malware-free version
Next article
Fresno State affected by nationwide cyber attack

Related articles