GoKawiilHackers trojanized installers for the DAEMON Tools software and since April 8, delivered a backdoor to thousands of systems that downloaded the product from the official website.
The supply-chain attack led to thousands of infections in more than 100 countries. However, second-stage payloads were deployed only to a dozen machines, indicating a targeted attack aimed at high-value targets.
Among the victims receiving next-stage payloads are retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand.
A report today from cybersecurity company Kaspersky notes that the attack is ongoing and that trojanized software includes DAEMON Tools versions from 12.5.0.2421 through 12.5.0.2434, specifically the DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe binaries.
DAEMON Tools is a Windows utility that allows mounting disk image files as virtual drives. The software was extremely popular in the 2000s, especially among gamers and power users, but today its deployment is limited to environments where virtual drive management is required.
As of today, Kaspersky says that the attack is ongoing.
Once unsuspecting users download and execute the digitally signed trojanized installers, they trigger the malicious code embedded in the compromised binaries. The payload establishes persistence and activates a backdoor on system startup.
The server can respond with commands that instruct the system to download and execute additional payloads.
The first-stage malware is a basic information stealer that collects system data, such as hostname, MAC address, running processes, installed software, and system locale, and sends them to the attackers for victim profiling.
Basic info-stealer payload
... continue reading