Kaspersky suspects Chinese hackers planted a backdoor into Daemon Tools in ‘widespread’ attack

Source: TechCrunch

Overview

Security researchers at Kaspersky have identified a malicious backdoor planted in the popular Windows disc imaging software, Daemon Tools. Data collected from computers worldwide running Kaspersky antivirus indicates a “widespread” attack targeting thousands of Windows machines with Daemon Tools installed.

Targeted Organizations

The backdoor was used to plant additional malware on a dozen computers across the retail, scientific, and manufacturing sectors, as well as government systems. The affected organizations are located in Russia, Belarus, and Thailand, suggesting a targeted effort.

Detection and Response

• First detection: April 8.
• Supply‑chain status: Kaspersky says the attack is still active, meaning hackers could continue to plant malware on computers running Daemon Tools.
• Vendor contact: Kaspersky reached out to Disc Soft, the developer of Daemon Tools, but has not disclosed whether the developer responded or taken action.

Related Supply‑Chain Attacks

• Earlier this year, hackers linked to the Chinese government hijacked the popular text editor Notepad++ to deliver malware to organizations with interests in East Asia.
• Last month, an attack targeted users who visited the website of CPUID, the maker of HWMonitor and CPU‑Z tools.

Technical Details

TechCrunch downloaded the Windows installer from Daemon Tools’ website. The file appeared to contain the backdoor when scanned with VirusTotal:

• VirusTotal analysis:

It is not known whether the macOS version of Daemon Tools or other Disc Soft applications are affected.

Statement from Disc Soft

A Disc Soft representative confirmed awareness of the report and said the company is investigating the situation, treating the matter with the highest priority, and taking steps to remediate any potential risks.