Hackers Hacked IObit Forum to Distribute Ransomware

IObit has been the victim of a large-scale cyberattack aimed at distributing the DeroHE ransomware among its forum participants.


IObit is a software developer known for its Windows system optimization and anti-malware programs such as Advanced SystemCare.


As reported by BleepingComputer, members of the IObit forum began to receive emails purportedly sent from IObit offering a free one year software license as a special benefit of participating in the forum. The email contained a GET NOW link redirecting to a site (hxxps: //forums.iobit.com/promo.html) that was distributing a malicious file during the attack.

image source: Bleepcomputer

The zip archive contains files with a digital signature of the legitimate program IObit License Manager, but with an unsigned malicious version of IObitUnlocker.dll. When IObit License Manager.exe is launched, the IObitUnlocker.dll malware will be launched to install the DeroHE ransomware in C: \ Program Files (x86) \ IObit \ iobit.dll and execute it.


Since most of the executables were signed with an IOBit certificate and the zip file was posted on the company's website, users installed the ransomware thinking it was a legitimate offer.


On first launch, the ransomware adds a Windows autorun named "IObit License Manager" which runs the command "rundll32" C: \ Program Files (x86) \ IObit \ iobit.dll, DllEntry "at login.

image source: Bleepcomputer

The ransomware adds Windows Defender Exceptions to allow a malicious DLL to run. It then displays a message box, ostensibly sent from the IObit License Manager: “Please wait. This may take a little longer than expected. Don't turn off your computer or turn on your screen! "


The malware adds the .DeroHE extension to encrypted files. Each encrypted file also has a line of information appended to the end of the file. The ransomware can use this information to decrypt files in the event of a ransom payment.


On the Windows desktop, DeroHE creates two files named FILES_ENCRYPTED.html containing a list of all encrypted files and a ransom note READ_TO_DECRYPT.html. The note is titled "Dero Homomorphic Encryption" and advertises a cryptocurrency called DERO. The victim is asked to send 200 coins worth about $ 100 to the specified address in order to resume access to the files.


Curiously, the cybercriminals accuse IObit itself of compromising computer systems. They offer the victims to tell the company to send $ 100,000 in DERO coins to decrypt all infected devices.


"Tell iobit.com to send us 100000 (1 hundred thousand) DERO coin to this address. dERopYDgpD235oSUfRSTCXL53TRakECSGQVQ2hhUjuCEjC6zSNFZsRqavVVSdyEzaViULtCRPxzRwRCKZ2j2ugCg26hRtLziwu"


It is currently unknown how exactly the attackers managed to compromise the site. It is possible that in order to create a fake advertising page and place a malicious download, the attackers hacked into the IObit forum and gained access to the administrator account.

Previous Post Next Post