{"id":18219,"date":"2021-01-19T08:13:54","date_gmt":"2021-01-19T07:13:54","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=18219"},"modified":"2021-11-30T07:00:21","modified_gmt":"2021-11-30T06:00:21","slug":"iobit-forum-gehackt-derohe-ransomware-wurde-verbreitet","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2021\/01\/19\/iobit-forum-gehackt-derohe-ransomware-wurde-verbreitet\/","title":{"rendered":"IOBit forum hacked, spreaded DeroHE ransomware"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" height=\"47\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2021\/01\/19\/iobit-forum-gehackt-derohe-ransomware-wurde-verbreitet\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]The forum of Windows tool developer IOBit was hacked over the weekend. The aim of the hack was to distribute the DeroHE ransomware to forum visitors.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg06.met.vgwort.de\/na\/3db3172ecdde453f926cc5263329276a\" alt=\"\" width=\"1\" height=\"1\" \/>I'm not so sure if there are any affected people among the blog readers &#8211; because IOBit is (at least for me) a vendor you should keep your hands of. Because IOBit offers tools such for cleaning and optimizing a Windows system, registry cleaners, PC optimizers or malware cleaners. All Windows tools, which are usually superfluous, in some situations even harmful and are sorted by me under 'snake oil' . But there are users who love at these IOBit tools.<\/p>\n<h2>IOBit Forum hacked<\/h2>\n<p>Over the weekend, users of the IOBit forum were graced with a supposedly special email. IObit forum members received emails claiming to be from IObit, claiming they were entitled to a free 1-year license for their software as a special perk for being a member of the forum. But that was just a nice bait. I came across the facts via my colleagues at Bleeping Computer. They actually condensed the core information into the following two\u00a0 <a href=\"https:\/\/twitter.com\/BleepinComputer\/status\/1351261430293671936\" target=\"_blank\" rel=\"noopener\">tweets<\/a>.<\/p>\n<p><img decoding=\"async\" title=\"IOBit Forum hacked\" src=\"https:\/\/i.imgur.com\/pDbZL6Z.png\" alt=\"IOBit Forum hacked\" \/><\/p>\n<p>Anyone who clicked on the <em>Get It Now<\/em> button of the supposedly IOBit message was taken to the URL:<\/p>\n<p>hxxps:\/\/forums.iobit.com\/promo.html<\/p>\n<p>was redirected to the following, now deleted page:<\/p>\n<p>hxxps:\/\/forums.iobit.com\/free-iobit-license-promo.zip.<\/p>\n<p>The zip achrivfile contained digitally signed files of the legitimate IObit License Manager program. However, the attackers had replaced the <em>IObitUnlocker.dll<\/em> file with an unsigned, malicious version. Virustotal <a href=\"https:\/\/www.virustotal.com\/gui\/file\/2138091055ad48988e5b94a6ca95663ef715dbd36893e59d71269318bcf7aeb5\/detection\" target=\"_blank\" rel=\"noopener\">identifies this as a Trojan<\/a>. And this file then reloaded the DeroHE ransomware.<\/p>\n<p>Soon, users reported to security forums like <a href=\"https:\/\/web.archive.org\/web\/20210201205021\/https:\/\/malwaretips.com\/threads\/iobit-forum-hacked.106312\/\" target=\"_blank\" rel=\"noopener\">here<\/a> or <a href=\"https:\/\/www.wilderssecurity.com\/threads\/iobit-forums-hacked.435960\/\" target=\"_blank\" rel=\"noopener\">here<\/a> that they had fallen for the 'offer' and installed the 'promo'. Hours later, the system was encrypted with the DeroHE ransomware and a demand for 200 Crypto-Coins (about $100 US) to decrypt it appeared. The colleagues from Bleeping Computer have analyzed the malware a bit more and describe its mode of operation and other <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/iobit-forums-hacked-in-widespread-derohe-ransomware-attack\/\" target=\"_blank\" rel=\"noopener\">details here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]The forum of Windows tool developer IOBit was hacked over the weekend. The aim of the hack was to distribute the DeroHE ransomware to forum visitors.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[447,243,69],"class_list":["post-18219","post","type-post","status-publish","format-standard","hentry","category-security","tag-hack","tag-ransomware","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/18219","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=18219"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/18219\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=18219"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=18219"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=18219"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}