The Windows IObit utility developer hacked over the weekend to launch an extensive attack aimed at distributing DeroHE ransomware to its forum members.
IObit is a software developer known for optimizing the Windows system and anti-malware programs such as Advanced SystemCare.
Over the weekend, IObit forum members began receiving emails claiming to be from IObit, stating that they are entitled to a free 1 year license for their software as a special advantage of participating in the forum.
The email includes a "GET IT NOW" link that redirects users to hxxps: //forums.iοbit.com/promo.html. This page no longer exists, but at the time of the attack, we were distributing a file to hxxps: //forums.iobit.com/free-iοbit-license-promo.zip.
This zip file [VirusTotal] contains digitally signed archives by the legal IObit License Manager program, but IObitUnlocker.dll has been replaced with an unsigned malware as shown below.
When IObit License Manager.exe runs, the malicious IObitUnlocker.dll runs to install the DeroHE ransomware on C: \ Program Files (x86) \ IΟbit \ iοbit.dll [VirusTotal] and execute it.
As most executable are signed with the IOBit certificate and the zip file hosted on its website, the users installed ransomware considering it to be a promotion of company.
Based on references in the IObit forum and other forums [1, 2], this is an extended attack targeting all members of the forum.
Source of information: bleepingcomputer.com
Greek
Chinese (Simplified)
English
Greek
Russian