19 January 2021

IObit forum hacked in a DeroHE ransomware attack


IObit forum hacked in a DeroHE ransomware attack

A forum of IOBit, a developer of anti-malware and anti-virus programs for the Microsoft Windows operating system, was compromised to distribute the DeroHE ransomware to its forum members.

According to BleepingComputer, over the weekend, IObit forum users started receiving emails ostensibly from IObit offering a free 1-year license to their software as a special bonus of being a forum member. The email contained a link that led to a forum webpage, which was distributing a .zip file containing digitally signed files from the legitimate IObit License Manager program, but with the IObitUnlocker.dll replaced with an unsigned malicious version.

Once executed, the malicious IObitUnlocker.dll would install the DeroHE ransomware to C:\Program Files (x86)\IObit\iobit.dll and execute it. As per Emsisoft researcher Elise van Dorp, who analyzed the ransomware, the malicious software adds several Windows Defender exclusions to allow the DLL to run.

When encrypting victims, the DeroHE ransomware will append the .DeroHE extension to encrypted files and append a string of information to the end of the file. The ransomware creates two files, one of which is named FILES_ENCRYPTED.html and contains a list of all encrypted files, and the other is a READ_TO_DECRYPT.html ransom note.

This ransom note promotes a cryptocurrency called DERO and instructs the victim to send 200 coins, worth about $100, to the address included in the note to receive a decryptor. The note also includes the ransomware's Tor payment site, a message on which states that IObit can send $100,000 in DERO coins to decrypt all victims, because, as per the attackers, it is IObit’s fault that victims’ computers got infected.

At the time of writing, IObit did not provide any statements regarding the issue. It is unknown, how the hackers managed to compromise the forum to host malware, but it is possible that they gained access to an administrative account.

Just this week, OpenWrt Project revealed a security breach, in which attackers gained access to an administrator account on the OpenWrt forum and stole a copy of the user list that contains email addresses, handles, and other statistical information about the users.

Back to the list

Latest Posts

Researchers discover connection between SunCrypt and QNAPCrypt ransomware

Researchers discover connection between SunCrypt and QNAPCrypt ransomware

SunCrypt may be an updated version of the QNAPCrypt ransomware.
4 March 2021
Cybersecurity firm Qualys appears to be the latest victim of Accellion FTA zero-day attacks

Cybersecurity firm Qualys appears to be the latest victim of Accellion FTA zero-day attacks

The cybercriminals behind the Clop ransomware operation have posted screenshots of files allegedly stolen from Qualys on their leak site.
4 March 2021
CISA orders federal agencies to ‘immediately’ patch Exchange flaws exploited by hackers

CISA orders federal agencies to ‘immediately’ patch Exchange flaws exploited by hackers

Several APT groups are exploiting "at least" the CVE-2021-26855 Microsoft Exchange Server vulnerability as part of ongoing attacks, ESET says.
4 March 2021