Kaspersky security researchers say they have identified a malicious backdoor planted in the popular and long-running Windows disk imaging software, Daemon Tools.
The Russian cyber security company he said on Tuesday that data collected from computers around the world using Kaspersky antivirus software shows that a “broad” attack is underway, targeting thousands of Windows computers running Daemon Tools.
The hackers, whom Kaspersky has linked to a Chinese-speaking team based on analysis of the malware, used the backdoor in Daemon Tools to install additional malware on a dozen computers in the retail, scientific and manufacturing sectors, as well as government systems. Kaspersky said the breach of these specific computers involved a “targeted” effort.
The company said the targeted organizations are located in Russia, Belarus and Thailand.
Kaspersky said the backdoor was first detected on April 8.
Kaspersky said it contacted Disc Soft, the company that maintains Daemon Tools, but did not say whether the developer responded or took action. Kaspersky said the supply chain attack is “still active,” suggesting hackers can still plant malware on thousands of computers running the disk imaging software.
This is the latest in a series of so-called “supply chain” attacks that have targeted developers of popular software in recent months. Hackers are increasingly targeting the accounts of developers who work on widely used code and software and are abusing that access to push malicious code to anyone who relies on the software. This approach allows hackers to attack a large number of computers at once when their malicious code is delivered as a software update.
Earlier this year, hackers linked to the Chinese government hijacked the popular text editor Notepad++ to deliver malware to a number of organizations with interests in East Asia. Security researchers also warned of another attack last month targeting users who visited the CPUID websitewhich makes the popular tools HWMonitor and CPU-Z.
TechCrunch downloaded the Windows installer from the Daemon Tools website and the file appeared contains the backdoor when we checked it with the online malware scanner service VirusTotal.
It is not known if the macOS version of Daemon Tools has been compromised or if other Disc Soft applications are affected.
When contacted for comment, a Disc Soft spokesperson said they were “aware of the report and are currently investigating the situation.”
“Our team is treating this issue with the highest priority and is actively working to assess and address the issue. At this stage, we are unable to confirm specific details mentioned in the report. However, we are taking all necessary steps to remediate any potential risks and ensure the safety of our users,” the spokesperson said.
Do you know more about the cyberattack targeting Daemon Tools users? Did you receive an antivirus notification saying you were affected? We want to hear from you. To contact this reporter securely, contact using the username Signal zackwhittaker.1337.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
