The IOBit forum was breached over the weekend. The purpose of the hack was to distribute DeroHE ransomware to forum visitors.
I'm not sure if there are people who are influenced by the readers of iGuRu.gr, as IOBit is not (at least for me) and such a remarkable company.
This is because IOBit offers tools for cleaning and optimizing systems with Windows, registry cleaners, or malware cleaners. That is, Windows tools, which are usually unnecessary, and in some cases even harmful.
But there are also users who love IOBit tools.
So over the weekend, IOBit forum users received a supposedly special email. Forum members received emails claiming to be from IObit. The emails offered free 1 year licenses for their software as a special privilege for their participation in the forum. Of course the emails were bait.
Anyone who clicked on button Download now from IOBit's alleged message was automatically redirected to:
hxxps: //forums.iobit.com/promo.html
From the above address the victims could download free-iobit-license-promo.zip.
The zip contained digitally signed files of the legitimate IObit License Manager program. However, the attackers had replaced the IObitUnlocker.dll file with a signed malware application. Το Virustotal την αναγνώριζε σαν trojan. This file then downloaded the DeroHE ransomware to the computer of the victim.
A few hours later, the victims' system was encrypted with the DeroHE ransomware and displayed a nice notification demanding 200 Crypto-Coins (about US$100) to unlock.encryption. Το Bleeping Computer ανέλυσε λίγο περισσότερο το κακόβουλο λογισμικό και περιγράφει καλύτερα its mode of operation.
