Overview
- Kaspersky disclosed Tuesday that official DAEMON Tools Windows installers were trojanized, and it says the campaign is still active.
- Versions 12.5.0.2421 through 12.5.0.2434 embedded malicious code in DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, all signed with Disc Soft certificates.
- On startup each tainted binary contacts env-check.daemontools.cc for a shell command that fetches an info stealer, which can escalate to a lightweight backdoor and in select cases the QUIC RAT.
- Telemetry shows several thousand installation attempts in more than 100 countries, yet only about a dozen systems in Russia, Belarus, and Thailand received follow-on backdoors in government, scientific, manufacturing, or retail networks.
- Disc Soft says it is investigating, while Kaspersky links artifacts to a Chinese-speaking operator and urges isolating machines with DAEMON Tools and checking for suspicious activity since April 8.