IOBit forum hacked, spreaded DeroHE ransomware

[German]The forum of Windows tool developer IOBit was hacked over the weekend. The aim of the hack was to distribute the DeroHE ransomware to forum visitors.


Advertising

I’m not so sure if there are any affected people among the blog readers – because IOBit is (at least for me) a vendor you should keep your hands of. Because IOBit offers tools such for cleaning and optimizing a Windows system, registry cleaners, PC optimizers or malware cleaners. All Windows tools, which are usually superfluous, in some situations even harmful and are sorted by me under ‘snake oil’ . But there are users who love at these IOBit tools.

IOBit Forum hacked

Over the weekend, users of the IOBit forum were graced with a supposedly special email. IObit forum members received emails claiming to be from IObit, claiming they were entitled to a free 1-year license for their software as a special perk for being a member of the forum. But that was just a nice bait. I came across the facts via my colleagues at Bleeping Computer. They actually condensed the core information into the following two  tweets.

IOBit Forum hacked

Anyone who clicked on the Get It Now button of the supposedly IOBit message was taken to the URL:

hxxps://forums.iobit.com/promo.html


Advertising

was redirected to the following, now deleted page:

hxxps://forums.iobit.com/free-iobit-license-promo.zip.

The zip achrivfile contained digitally signed files of the legitimate IObit License Manager program. However, the attackers had replaced the IObitUnlocker.dll file with an unsigned, malicious version. Virustotal identifies this as a Trojan. And this file then reloaded the DeroHE ransomware.

Soon, users reported to security forums like here or here that they had fallen for the ‘offer’ and installed the ‘promo’. Hours later, the system was encrypted with the DeroHE ransomware and a demand for 200 Crypto-Coins (about $100 US) to decrypt it appeared. The colleagues from Bleeping Computer have analyzed the malware a bit more and describe its mode of operation and other details here.


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *