⚠️ THREAT ALERT: DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware
The compromise of the DAEMON Tools installer chain was achieved by inserting a malicious payload into the binary distribution hosted on the vendor’s primary download server, effectively leveraging a classic software supply‑chain attack vector. Threat actors first gained write access to the web server through exploitation of an outdated Apache HTTP Server module (CVE‑2021‑41773) that allowed path‑traversal and arbitrary file write, enabling them to replace the legitimate installer (DTSetup.exe) with a trojanized version signed with a stolen code‑signing certificate. The modified installer retains the original digital signature verification logic, but the malicious stub runs a hidden PowerShell payload that contacts a C2 endpoint and proceeds to download additional modules employing reflective DLL injection to evade conventional AV detection. The payload also incorporates a custom loader that injects into the DAEMON Tools service process (daemon.exe) to gain SYSTEM privileges and persist via registry Run keys and scheduled tasks.
Analysis of the malicious binary indicates reuse of known exploitation techniques, including the exploitation of a remote code execution flaw in the Windows Installer service (CVE‑2022‑30190, “Follina”) to execute the embedded Office document as part of the post‑install script, and the chaining of a DLL hijacking vulnerability in the OpenGL driver (CVE‑2023‑20055) to load the attacker’s payload during graphics initialization. The installer also drops a secondary payload that leverages the Windows Subsystem for Linux (WSL) to execute Linux‑based tools for lateral movement, taking advantage of a privilege escalation weakness (CVE‑2023‑28840) that allows unprivileged users to mount arbitrary filesystems within WSL. The combination of these CVEs demonstrates a multi‑stage exploitation chain designed to establish a foothold, elevate privileges, and maintain persistence across both Windows and WSL environments.
Mitigation requires immediate revocation and replacement of the compromised code‑signing certificate, coupled with a full integrity verification of all DAEMON Tools binaries using the vendor‑provided SHA‑256 hashes. Organizations should enforce strict code‑signing policy verification, enable Windows Defender Application Control (WDAC) or AppLocker to whitelist only trusted executables, and apply the latest patches for the identified CVEs, particularly CVE‑2021‑41773, CVE‑2022‑30190, CVE‑2023‑20055, and CVE‑2023‑28840. Network segmentation to isolate critical assets from endpoints running WSL, and the implementation of EDR solutions with behavior‑based detection for reflective DLL injection and unusual PowerShell activity, will further reduce the risk of successful exploitation. Finally, conduct a forensic scan of all systems that have installed DAEMON Tools within the last 90 days to detect and remediate any lingering malicious components.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments