Introduction
A critical supply-chain attack has compromised the official installers for DAEMON Tools, a popular disk imaging software. Beginning April 8, threat actors successfully trojanized the installer available on the vendor's official website, deploying an unauthorized access mechanism (backdoor) to thousands of endpoint systems.
This is not a vulnerability in the software itself, but a complete compromise of the distribution channel. Users who downloaded and executed the installer during this window are likely compromised. Defenders must assume that trusted binaries cannot be implicitly trusted and must act immediately to identify infected hosts and eradicate the persistence mechanisms established by the attacker.
Technical Analysis
Affected Products:
- DAEMON Tools (Lite and potentially other variants)
- Platform: Windows
Attack Vector:
- Type: Supply Chain Compromise / Trojanized Installer
- Mechanism: The legitimate installer wrapper was modified to execute malicious code before or during the installation process. This code drops and executes a payload providing unauthorized remote access.
- Exploitation Status: Confirmed Active Exploitation. The attack is currently in-the-wild, with downloads originating from the official vendor domain serving the malicious payload.
Defensive Perspective: The attack chain relies on the user's trust in the vendor. The installer, likely signed or appearing legitimate, executes a series of unauthorized actions typically involving the spawning of shell processes (PowerShell or CMD) to fetch subsequent stages or establish persistence via Registry keys or Scheduled Tasks. The "unauthorized access mechanism" implies a Remote Access Trojan (RAT) or reverse shell functionality.
Detection & Response
Sigma Rules
The following Sigma rules detect the suspicious behavior associated with the trojanized installer.
---
title: DAEMON Tools Installer Spawning Suspicious Child Process
id: 8c5d1a23-9f72-4e3a-a8c5-1d2f3b4c5d6e
status: experimental
description: Detects DAEMON Tools installer spawning suspicious shell processes often used for payload delivery.
references:
- https://www.bleepingcomputer.com/news/security/daemon-tools-trojanized-in-supply-chain-attack-to-deploy-backdoor/
author: Security Arsenal
date: 2024/04/09
tags:
- attack.initial_access
- attack.t1195
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains:
- 'dtools'
- 'DTInst'
- 'DAEMON Tools'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\regsvr32.exe'
condition: selection_parent and selection_child
falsepositives:
- Legitimate administrative use of the installer (unlikely to spawn cmd/ps)
level: high
---
title: Suspicious Network Connection from DAEMON Tools Installer
id: 9e6f2c84-0e4b-4d67-bc12-3e5a8f901234
status: experimental
description: Detects the DAEMON Tools installer process establishing outbound network connections to non-standard ports, indicative of C2 beacons.
references:
- https://www.bleepingcomputer.com/news/security/daemon-tools-trojanized-in-supply-chain-attack-to-deploy-backdoor/
author: Security Arsenal
date: 2024/04/09
tags:
- attack.command_and_control
- attack.t1071
logsource:
category: network_connection
product: windows
detection:
selection:
Image|contains:
- 'dtools'
- 'DTInst'
Initiated: 'true'
DestinationPort|notin:
- 80
- 443
- 8080
condition: selection
falsepositives:
- Rare, legitimate installer update checks (usually use 80/443)
level: high
KQL (Microsoft Sentinel / Defender)
Use this query to hunt for process creation events involving the DAEMON Tools installer executing suspicious commands.
DeviceProcessEvents
| where InitiatingProcessFileName has_any ("dtools", "DTInst", "DAEMON")
| where ProcessFileName in~ ("powershell.exe", "cmd.exe", "powershell_ise.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
| order by Timestamp desc
Velociraptor VQL
Hunt for the presence of the installer file on disk and correlate it with recent creation dates to identify potential compromises matching the April 8 timeline.
-- Hunt for DAEMON Tools installer files created recently
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs="C:/Users/*/Downloads/*dtools*.exe")
WHERE Mtime > timestamp("2024-04-01")
-- Hunt for running processes that might be the backdoor child
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ "powershell" AND Exe =~ "WindowsPowerShell"
AND Parent.Name =~ "dtools"
Remediation Script (PowerShell)
Run this script on potentially affected endpoints to identify and remove suspicious DAEMON Tools installer files and flag potential compromise. Note: This does not remove the legitimate application, only the installer artifacts and verifies the running state.
<#
.SYNOPSIS
Response script for DAEMON Tools Supply Chain Attack.
.DESCRIPTION
Identifies DAEMON Tools installer files downloaded after April 8, 2024,
and checks for suspicious child processes.
#>
$CompromiseDate = Get-Date "2024-04-08"
$PathsToCheck = @("C:\Users\*\Downloads\", "C:\ProgramData\", "$env:TEMP")
Write-Host "[*] Scanning for DAEMON Tools installers modified after $($CompromiseDate.ToShortDateString())..."
$SuspiciousFiles = @()
foreach ($path in $PathsToCheck) {
$files = Get-ChildItem -Path $path -Filter "*dtools*.exe" -Recurse -ErrorAction SilentlyContinue
foreach ($file in $files) {
if ($file.LastWriteTime -gt $CompromiseDate) {
Write-Host "[!] Suspicious installer found: $($file.FullName) (Modified: $($file.LastWriteTime))" -ForegroundColor Red
$SuspiciousFiles += $file
}
}
}
if ($SuspiciousFiles.Count -eq 0) {
Write-Host "[+] No suspicious installers found in common paths." -ForegroundColor Green
} else {
Write-Host "[!] Recommendation: Quarantine or delete the files listed above immediately." -ForegroundColor Yellow
}
# Check for suspicious parent-child relationships
Write-Host "[*] Checking process tree for installer spawning shells..."
$Processes = Get-WmiObject Win32_Process | Select-Object Name, ProcessId, ParentProcessId, CommandLine
$ParentMap = @{}
foreach ($p in $Processes) { $ParentMap[$p.ProcessId] = $p.Name }
foreach ($p in $Processes) {
if ($p.Name -match "powershell|cmd|wscript|cscript") {
$ParentName = ""
if ($ParentMap.ContainsKey($p.ParentProcessId)) {
$ParentName = $ParentMap[$p.ParentProcessId]
}
if ($ParentName -match "dtools|DTInst|DAEMON") {
Write-Host "[!] Suspicious execution: Parent $($ParentName) spawned child $($p.Name)" -ForegroundColor Red
Write-Host " Command: $($p.CommandLine)"
}
}
}
Remediation
- Identify Scope: Use the provided detection logic to identify all systems that executed the installer between April 8 and the present.
- Containment: Isolate affected hosts from the network immediately to prevent C2 communication or lateral movement.
- Removal:
- Delete the trojanized installer files immediately.
- Uninstall the DAEMON Tools software if it was installed during the compromise window to ensure no backdoors persist in the application directory.
- Perform a full disk antivirus/EDR scan.
- Re-installation: Only re-install DAEMON Tools once the vendor has confirmed the integrity of their distribution channel (check official vendor advisories for the "all clear" date).
- Credential Reset: Assume credentials were harvested via the unauthorized access mechanism. Reset all passwords for accounts used on compromised endpoints.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.