Government, scientific, manufacturing, and retail organizations have been targeted with a sophisticated backdoor in an ongoing supply chain attack involving the Daemon Tools disk imaging software, Kaspersky reports.
As part of the attack, Chinese-speaking attackers apparently injected malicious code into multiple Daemon Tools iterations that have been available for download via the software’s legitimate website.
Daemon Tools versions 12.5.0.2421 to 12.5.0.2434, released since April 8, have been found to contain injected code, and the attack remains active, Kaspersky says. AVB Disc Soft, the company behind Daemon Tools, has been notified.
As part of the supply chain attack, the threat actors compromised three binaries within the software, namely DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, all signed using certificates belonging to AVB Disc Soft.
“Whenever one of these binaries is launched, which happens at the machine startup, a backdoor gets activated. This backdoor is implanted in the startup code responsible for initializing the CRT environment,” Kaspersky explains.
The backdoor was observed sending requests to a typosquatting domain registered on March 27. The server responds with a shell command executed via command prompt to fetch and run a payload.
The attackers relied on this mechanism to attempt to deploy an information collector on thousands of machines across over 100 countries, mainly in Brazil, China, France, Germany, Italy, Russia, Spain, and Turkey. Roughly 10% of the affected machines belong to various businesses and organizations.
Using the information collected by the malware, the attackers identified systems of interest and infected them with a second, minimalistic backdoor.
Only a dozen systems at government, scientific, manufacturing, and retail organizations in Belarus, Russia, and Thailand were infected with the backdoor, suggesting a targeted attack, Kaspersky says.
Furthermore, the backdoor was used to deploy more complex malware, namely the QUIC RAT, against a single educational institution in Russia.
“This manner of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to conduct the infection in a targeted manner. However, their intent – whether it is cyberespionage or ‘big game hunting’ – is currently unclear,” Kaspersky notes.
Related: 1,800 Hit in Mini Shai-Hulud Attack on SAP, Lightning, Intercom
Related: SAP NPM Packages Targeted in Supply Chain Attack
Related: Are SBOMs Failing? Supply Chain Attacks Rise as Security Teams Struggle With SBOM Data
Related: Axios NPM Package Breached in North Korean Supply Chain Attack
