The developer of a popular utility software application has been forced to release a new version after confirming reports that threat actors managed to hide malware in a previous iteration.
Disc Soft said it released the malware-free Version 12.6 of its Daemon Tools Lite product on May 5, less than 12 hours after being notified of the supply chain attack.
“Following an internal investigation, we identified unauthorized interference within our infrastructure,” it confirmed in a post on May 7.
“As a result, certain installation packages were impacted within our build environment and were released in a compromised state.”
Read more on supply chain campaigns: North Korean APT Targets Yanbian Gamers via Trojanized Platform
Disc Soft said the incident has now been contained and there’s no ongoing risk for users, after it isolated and secure affected systems and removed all potentially compromised files from distribution.
The firm said it also audited the build and release pipeline, rebuilt and validated installation packages, and strengthened internal security controls and monitoring systems.
“All currently available versions of Daemon Tools Lite have been verified to ensure their integrity and safety,” it added. “The affected version (12.5.1) has been removed and is no longer supported. The latest version (12.6.0.2445) no longer exhibits the behavior associated with the incident.”
The developer urged any user who downloaded the affected version to:
- Uninstall the application
- Run a full system scan using trusted security software
- Download the latest version from the official website
A China-Linked Backdoor Campaign
Earlier this week, Kaspersky warned that Daemon Tools software installers distributed from the main website had been Trojanized since April 8.
“Starting from early April, we observed several thousands of infection attempts involving Daemon Tools in our telemetry, with individuals and organizations in more than 100 countries being affected,” the cybersecurity firm explained.
“However, out of all the machines infected, we have observed further-stage payloads being deployed to only a dozen of them. These machines that received further payloads belonged to retail, scientific, government and manufacturing organizations – and this indicates that the supply chain attack has a targeted manner.”
It’s unclear what the end goal was – Kaspersky posited both cyber-espionage and “big-game hunting.” However, it observed one victim organization, an education institution in Russia, which had been infected with the Quic RAT malware, which is capable of injecting payloads into notepad.exe and conhost.exe processes.
Most victims were apparently located in Russia, Brazil, Turkey, Spain, Germany, France, Italy and China.
“Given the high complexity of the attack, it is paramount for organizations to carefully examine machines that had Daemon Tools installed, for abnormal cybersecurity-related activities that occurred on or after April 8,” Kaspersky concluded.