How to Check If Your Daemon Tools Has Been Compromised in a Supply-Chain Attack

Introduction

In April 2024, a widespread supply-chain attack compromised Daemon Tools, a popular disk image mounting application. Attackers pushed malicious updates through the developer's official servers, affecting versions 12.5.0.2421 through 12.5.0.2434. The malware, signed with legitimate digital certificates, infects executables and runs at boot time, collecting sensitive system information and potentially delivering follow-on payloads to targeted organizations. This guide will walk you through the essential steps to detect if your Daemon Tools installation has been backdoored, how to remove it, and how to prevent future supply-chain compromises.

How to Check If Your Daemon Tools Has Been Compromised in a Supply-Chain Attack — Source: feeds.arstechnica.com

What You Need

Access to your computer's system settings and file explorer
Administrator privileges (to check digital signatures and remove software)
Daemon Tools version number (check in app or Add/Remove Programs)
A web browser to verify certificate details
Optional: antivirus or endpoint detection software

Step-by-Step Guide

Step 1: Identify Your Daemon Tools Version

The attack targeted versions 12.5.0.2421 through 12.5.0.2434. To find your version, open Daemon Tools, go to Help > About, or check via Control Panel > Programs > Programs and Features. Write down the full version number. If it falls within the vulnerable range, proceed to the next steps immediately.

Step 2: Verify Digital Signatures of Daemon Tools Executables

Right-click on daemon.exe and other Daemon Tools executables (usually in C:\Program Files\DAEMON Tools), select Properties, then the Digital Signatures tab. Check that the signer is AVB (the developer) and the certificate is valid (not expired or revoked). If the signature shows any error, or if the certificate details differ from the official signer, your installation is likely compromised. You can also cross-check the certificate thumbprint with known good values from the developer's official support page.

Step 3: Monitor Network Traffic for Suspicious Connections

The backdoor collects MAC addresses, hostnames, DNS domains, running processes, installed software, and system locales, then sends them to an attacker-controlled server. Use a firewall or network monitoring tool (e.g., Windows Resource Monitor or third-party apps) to watch for unusual outbound connections from Daemon Tools processes. Look for connections to unknown IP addresses or domains that are not related to the official Daemon Tools update servers. If you see such activity, your system may be infected.

Step 4: Check for Unauthorized Startup Programs and Processes

The malware runs at boot time. Open Task Manager (Ctrl+Shift+Esc) and go to the Startup tab. Look for any Daemon Tools-related entries that you did not authorize. Also check Processes tab for suspicious processes with high CPU or memory usage, especially those with random names or hidden windows. Use an antivirus scan with updated signatures to detect known variants of this backdoor.

Step 5: Remove Infected Versions and Clean the System

If you confirm your Daemon Tools is compromised, uninstall it immediately via Control Panel > Programs > Uninstall a Program. Then run a full system scan with a reputable security suite. Manually delete any leftover files in the installation folder. To be safe, consider performing a system restore to a point before April 8, 2024, if available, or reinstall Windows from a clean backup. Do not download Daemon Tools again until the developer releases a patched, verified version.

Step 6: Protect Against Future Supply-Chain Attacks

Even if your system is clean, take proactive measures: a) Only download software from official sources, but note that this attack came from the official server—so also verify file hashes against developer-provided checksums when possible. b) Use application whitelisting to prevent unauthorized executables from running. c) Keep your operating system and security software up-to-date. d) Monitor your network for unusual traffic patterns. e) Regularly back up critical data to an offline location. For organizations, consider using a sandboxed environment for testing updates before deployment.

Tips for Staying Safe

Always verify digital signatures before installing any update, especially for software that runs with system privileges.
Limit the number of third-party tools that have boot-time execution capabilities.
Use a dedicated security solution that includes behavior monitoring and memory scanning to catch fileless malware.
Educate users about social engineering tactics that could deliver the backdoor through fake updates.
Engage with security communities (like Kaspersky’s threat intelligence) to stay informed about ongoing supply-chain attacks.

By following these steps, you can determine whether your Daemon Tools installation has been compromised and take appropriate action to secure your system. Supply-chain attacks are hard to detect because they abuse trusted channels, but diligence in checking versions, signatures, and behavior can make a difference.

Tags: