The Windows utility developer IObit forums hacked over the weekend, for the threat actors to distribute a peculiar strain of ransomware called “DeroHE” to its forum members. IObit is known for Windows system optimisation and anti-malware programs such as Advanced SystemCare.
Members of the forum received an email claiming to be from the company, stating that members are entitled to a free 1-year licence to their software. The email contains a malicious link that downloads a zip file to the victim’s machine. It is most likely that the threat actors compromised IObits forums to gain access to the site.
The zip file contains digitally signed files from the legitimate IObit License manager program, but a file called IObitUnlocker.dll is replaced with an unsigned malicious version. When executed, the .dll file will install the DeroHE ransomware to the “C:\Program Files (x86)\IObit\IObit.dll and execute it.
The impact
As most executables are signed with IObits digital certificate and the zip file was hosted on the legitimate site, users fell prey to the phishing campaign.
Once a user executes the “IObit License Manager.exe, the DLL file will begin the encryption process, once DeroHE is deployed, user files will be encrypted and the file extension. DeroHE will be added to the victim’s files.
The ransomware demands payment of a Cryptocurrency called DERO, demanding 200 coins worth $100. Currently, DeroHE is being investigated for weaknesses, and it is not known if the threat actors will keep their word and provide a decryption key upon payment.
The remediation:
It is important to be aware of social engineering tactics adversaries use to convince users to perform an action that works to their advantage such as, downloading a malicious payload. However, it shouldn’t stop there, users need to be educated on how to checking whether the sender and email are coming from a legitimate source.
Source: Bleeping Computer