Kaspersky Lab security researchers announced that they have identified a malicious backdoor in Daemon Tools, a popular and long-running Windows disk imaging software.
A Russian cybersecurity company said Tuesday that data collected from computers around the world running Kaspersky antivirus software shows a “widespread” attack is underway targeting thousands of Windows computers running Daemon Tools.
The hackers, who Kaspersky linked to a Chinese-speaking group based on analysis of the malware, used a Daemon Tools backdoor to plant additional malware on more than a dozen computers in the retail, scientific, manufacturing sectors, and government systems. Kaspersky said the hacking of these particular computers implied a “targeted” effort.
The company said the targeted organizations were located in Russia, Belarus and Thailand.
Kaspersky said the backdoor was first detected on April 8th.
Kaspersky said it contacted DiskSoft, which manages Daemon Tools, but did not say whether the developer had responded or taken any action. Kaspersky Lab said the supply chain attack “remains active,” suggesting hackers could still place malware on thousands of computers running disk imaging software.
This is the latest in a series of so-called “supply chain” attacks targeting developers of popular software in recent months. Hackers are increasingly targeting the accounts of developers working on widely used code and software and exploiting that access to push malicious code to those who rely on that software. This approach allows hackers to compromise many computers at once when malicious code is delivered as a software update.
Earlier this year, hackers with ties to the Chinese government took over the popular text editing software Notepad++ and delivered malware to a number of organizations with interests in East Asia. Last month, security researchers also warned of another attack targeting users who visited the CPUID website, which makes the popular HWMonitor and CPU-Z tools.
When TechCrunch downloaded the Windows installer from the Daemon Tools website and checked it with online malware scanner service VirusTotal, the file appeared to contain a backdoor.
It is unclear whether the macOS version of Daemon Tools was compromised or if other apps from Disc Soft are affected.
When asked for comment, a representative for Disc Soft said, “We are aware of the report and are currently investigating the situation.''
“Our team treats this issue as a top priority and is actively working to assess and address the issue. At this stage, we are not in a position to confirm the specific details mentioned in the report. However, we are taking all necessary steps to remediate any potential risks and ensure the security of our users,” a representative said.
Do you know more about the cyberattack targeting Daemon Tools users? Did you receive an antivirus alert saying you're affected? We'd love to hear from you. To contact this reporter securely, please contact us via the Signal username zackwhittaker.1337.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.