IObit is a software developer for Windows system optimization and anti-malware programs like the Advanced SystemCare.
Over the weekend, Windows utility developer IObit was hacked to facilitate a widespread attack for distributing the DeroHE ransomware to IObit forum members.
Research reveals that the ransomware operators hacked the IObit forum to create a fake promotion page and host the ransomware download. It is quite likely that the attackers gained access to an administrative account after hacking the forum.
All IObit forums still appear compromised, and the pages return a 404 error code, and the web page displays dialogs to subscribe to browser notifications. If a user visits the web page, the browser starts receiving desktop notifications for promoting unwanted content, such as adult sites and malicious software.
See: Hackers cloned NordVPN website to drop banking trojan
IObit is a software developer for Windows system optimization and anti-malware programs like the Advanced SystemCare.
Forum Members Received Phony Emails
The problem with IObit started when this weekend, the forum members started receiving phony emails disguised to be sent by IObit. The emails stated that the recipient would receive a special perk as a free one year license to IObit products for being a forum member.
The weird emails were sent from IObit’s official email address. Some of the products offered were system optimizers and MS Windows security solutions. The emails contain a Get it Now button. When the recipient clicks on this button, they are redirected to a ransomware distribution page. They download a ZIP file that contains the DeroHE ransomware.
Many recipients were tricked into installing the app in the emails, considering it an authentic promotion message. However, they ended up downloading nasty ransomware that locked down all files after appending the .DeroHE extension, corrupted file headers, and broke them down into fragments to rule out any possibility of file recovery.
How the Attack Works?
When the user executes the IObit License Manager.exe attached in the email, the malicious IObitUnlocker.dll gets executed instead, and it installs the DeroHE ransomware to C:\Program Files (x86)\IObit\iobit.dll .
After installation, the ransomware is executed automatically. Users get deceived easily because most executables are signed with IObit’s certificate. Moreover, the ZIP file is hosted on their site. Hence, users believe that it is a legit promotion.
See: Hackers clone ProtonVPN website to drop password stealer malware
The ransomware displays a message box stating: “Please wait. It may take a little longer than expected. Keep your computer running or screen on!” to prevent users from shutting off their devices before the ransomware finishes its task of encrypting the file.
The Ransom Note
When the data is encrypted, the ransom note appears having the title- ‘Dero Homomorphic Encryption.’ The victim is asked to pay the ransom in DERO cryptocurrency and send 200 coins (approx. $100) to the provided address to get a decryptor. The note also contains the ransomware’s Tor site address, which the victim has to access to pay for the decryptor.
Attackers Blame IObit for the Hack
Interestingly, according to BleepingComputer, the Tor site claims that IObit can send $100,000 in DERO coins for decrypting all the victims because it is responsible for the compromise.
“Tell iobit.com to send us 100000 (1 hundred thousand) DERO coin to this address. After payment arrive, all encrypted computer (including yours) will be decrypted. THIS IS IOBIT’s FAULT to made your computer getting infected,” the DeroHE ransomware’s Tor payment site claims.
Did you enjoy reading this article? Don’t forget to like our page on Facebook and follow us on Twitter!