Hacked IObit forum distributes the DeroHE ransomware among users

IObit Forum Hacked
Written by Emma Davis

Bleeping Computer reports that the forum of the IObit company, which develops various utilities for Windows, was hacked last weekend. Now the DeroHE ransomware is distributed among the users of the official forum.

The problem was noticed when members of the IObit forum began to receive emails on behalf of the company, which stated that as a gift, users were entitled to a free one-year license for their software.

IObit Forum Hacked
The link in the letter, which allegedly led to a free license, actually redirected the victims to https://forums.iobit[.]com/promo.html. Currently, this page no longer exists, but at the time of the attack it distributed the file free-iobit-license-promo.zip (VirusTotal).

This archive contained files of the legitimate IObit License Manager program with a real digital signature, but the IObitUnlocker.dll file was replaced with an unsigned and malicious version.say Bleeping Computer journalists.

When IObit License Manager.exe was launched, the malicious IObitUnlocker.dll was also launched, and as a result, all this led to the installation of the DeroHE ransomware in C:\Program Files(x86)\IObit\iobit.dll (VirusTotal) and its execution.

Since most of the executable files were signed with an IOBit certificate, and the archive was hosted on the company’s website, users willingly installed malware, believing that they had received a gift from the company, while the trick left unnoticed. Judging by the posts on the IObit forum, the attack targeted all forum members.

Bleeping Computer reporters have studied the ransomware, and write that, judging by the ransom note titled “Dero Homomorphic Encryption”, the malware is promoting the DERO cryptocurrency. To decrypt files, the victims are asked for 200 tokens worth about $100.

IObit Forum Hacked
Moreover, the ransomware note contains a link to their onion site (http://deropayysnkrl5xu7ic5fdprz5ixgdwy6ikxe2g3mh2erikudscrkpqd.onion), where hackers not only accept payments but also offer IObit to pay 100,000 DERO to decrypt all users at once. The hackers claim that everything that happened is IObit’s fault, and therefore the company should pay.

To implement this attack, the attackers most likely hacked into the IObit forum and gained access to the administrator account.suggest in Bleeping Computer.

Even worse, the company’s forums are still compromised and dangerous. Visiting them returns a 404 error, but in the browser arrive messages with prompts to subscribe to notifications. If you agree to receive notifications, they will really start coming, and mostly it will be ads for adult sites, malware and other unwanted content.

In addition, clicking anywhere on the page will open a new tab that also displays ads for adult sites. Other sections of the site seem to be compromised as well and are redirecting to porn sites too.

The malicious script that hackers have embedded on the pages of the IObit website can be seen below.

IObit Forum Hacked
Representatives of the IObit company have not yet commented on the incident and are not responding to requests from journalists.

As a reminder, we wrote that the authors of the ransomware Ryuk have already earned more than $150 million.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply