One of the follow-on payloads pushed to about a dozen organizations was what Kaspersky described as a “minimalistic backdoor.” It has the ability to execute commands, download files, and run shellcode payloads in memory—making the infection harder to detect.
Kaspersky said that it observed a more complex backdoor dubbed QUIC RAT, installed on a single machine belonging to an educational institution located in Russia. Initial analysis found that it can inject payloads into the notepad.exe and conhost.exe processes and supports a variety of C2 communication protocols, including HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3.
The 100 infected organizations were primarily located in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. Kaspersky’s visibility into the attack is limited because it’s based solely on telemetry provided by its own products.
Kaspersky researchers wrote:
The analysis shows that 10% of the affected systems belong to businesses and organizations. Attackers attempted to infect most of the affected machines only with the information collector payload. However, the other backdoor payload, which is more complex, has been observed only on a dozen machines of government, scientific, manufacturing and retail organizations located in Russia, Belarus and Thailand. This manner of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to conduct the infection in a targeted manner. However, their intent – whether it is cyberespionage or ‘big game hunting’ – is currently unclear.
More recent supply-chain attacks have hit Trivy, Checkmarx, and Bitwarden and more than 150 packages available through open source repositories. Last year there were at least six notable such attacks.
Anyone who uses Daemon Tools should take time to scan the entirety of their machines using reputable antivirus software. Windows users should additionally check for indicators of compromise listed in the Kaspersky post. For more technically advanced users, Kaspersky recommends monitoring “suspicious code injections into legitimate system processes, especially when the source is executables launched from publicly accessible directories such as Temp, AppData, or Public.”