DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware

⚠️ THREAT ALERT: DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware

The compromise of DAEMON Tools installers was achieved via a classic supply‑chain intrusion, leveraging unauthorized access to the vendor’s build server to inject a malicious payload into the Windows executable distribution package. Threat actors obtained privileged credentials—likely through credential dumping or phishing—and modified the post‑build signing process to embed a stage‑2 downloader that contacts a hard‑coded C2 domain. The injected binary is a PE packed with UPX and contains a reflective DLL loader that drops a signed, yet malicious, driver (SYS) utilizing the Windows Driver Framework. The loader exploits a known privilege escalation chain (CVE‑2022‑30190 – “Follina”) to execute PowerShell scripts in the context of the Local System account, subsequently installing persistence via a scheduled task that points to the malicious driver. Network traffic analysis reveals that the post‑installation beacon uses HTTP/2 over port 443, mimicking legitimate update traffic to evade detection.

Preliminary static analysis of the compromised binaries shows they are signed with a legitimate DAEMON Tools code‑signing certificate, but the signing timestamp indicates a post‑expiration re‑signing that bypasses Windows signature verification heuristics. The malicious payload also leverages CVE‑2023‑2728, a Windows Installer (MSI) privilege escalation vulnerability, by crafting an MSI file that executes custom actions with elevated rights during the install sequence. Additionally, the downloaded driver is signed with a stolen EV certificate, suggesting the attackers also exfiltrated private keys from the vendor’s PKI infrastructure. The presence of a DLL side‑loading technique using the “Microsoft.VisualBasic.dll” name hints at abuse of the DLL search order hijack (CVE‑2021‑40444) to achieve code execution before the legitimate application initializes.

Mitigation must be tiered: immediate revocation of all compromised code‑signing certificates and re‑issuance of new keys, coupled with enforced HSM storage and multi‑factor authentication for CI/CD pipeline access. Organizations should deploy strict application control policies (e.g., Windows Defender Application Control or BitLocker) to block unsigned or out‑of‑band drivers, enforce signed driver enforcement, and enable AMSI + EDR telemetry to detect the reflective loader and PowerShell “Invoke‑Expression” patterns associated with CVE‑2022‑30190 exploitation. Finally, network defenders should implement DNS sinkholing for the known malicious C2 domains, enforce TLS inspection for outbound HTTPS to validate certificate pinning, and apply the latest patches for the MSI privilege escalation (CVE‑2023‑2728) and DLL search order hijack (CVE‑2021‑40444) across the enterprise.

🛡️ CRITICAL SECURITY SCAN REQUIRED

Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.

>> LAUNCH ZERO-DAY THREAT SCANNER <<

Source Intelligence: Full Technical Breakdown