DAEMON Tools Supply Chain Attack: Detection and Response Guide
Technical guide on system cleaning and security measures after DAEMON Tools trojan attack. Step by step backdoor cleaning methods.
Contents
Overview
As of April 8, it has been determined that the installation files downloaded from the official website of the popular virtual drive software DAEMON Tools have been manipulated (trojanized) by attackers. This supply chain attack caused thousands of systems to be infiltrated through a backdoor mechanism hidden within legitimate software. This guide explains how to check for this malware on your system and how to clean infected systems.
Risk Analysis
By changing the installation package of the software, attackers enable a malicious script to run in the background during installation. This leads to remote control of the system, theft of sensitive data and the risk of propagation to other devices within the network.
Step by Step Response and Cleanup
White Paper and Commands
You can use the following command to check for suspicious network connections on your system:
netstat -ano | findstr "ESTABLISHED"Also, to check for a suspicious file in the startup items:
Get-CimInstance Win32_StartupCommand | Select-Object Name, Command, LocationWarning: If you have installed versions of DAEMON Tools after April 8 on your system, simply uninstalling the software may not be enough. A clean installation or rollback to the system image is highly recommended.
Preventive Measures
To prevent such attacks in corporate networks, keep endpoint protection (EDR) solutions up to date and implement application whitelisting policies. Always be sure to download software updates from official sources with verified digital signatures.