IObit, a utility software maker for the Windows OS has its forum hacked. This malicious access was used by threat actors to distribute their DeroHE ransomware through malicious emails, faking it as a free utility software bundle. Ultimately, the ransomware will encrypt all the files and leaves a ransom note intimating them of the hack.
Ransomware Disguised in Free Software
IObit, a maker of software like system optimizer and anti-malware for windows OS, has its forum breached. This was known after the members of the forum infected with a malicious campaign of free IObit bundle, for being the members.
They reported receiving emails from IObit about a free one-year plan of their bundle, which has a link to a hxxps://forums.iobit.com/promo.html site and eventually takes to a hxxps://forums.iobit.com/free-iobit-license-promo.zip site download the zip file.
While this zip file is digitally signed by the legitimate IObit License Manager program, it has the IObitUnlocker.dll file replaced with a malicious one. Unpacking it, the malicious DLL will install the DeroHE ransomware into the C:\Program Files (x86)\IObit\iobit.dll and execute it.
This happened so smoothly since users believed the software to be legit, as its having digital signatures from IObit and hosted on their official site. Opening it, they’ll be shown a dialogue box not to lock out the screen nor the system while it’s processing. But in the background, the ransomware is encrypting the files of the host.
After doing so, the ransomware group makes two folders on the desktop screen, one to let the victim know what all files were encrypted and the other is the ransom note. Surprisingly, the hackers are asking for payment in terms of DeroHE coins, which is a cryptocurrency like Bitcoin.
It gives the victim a darknet link to the payment page, where it’s asking for 200 DeroHE coins, translating to around $100. Also, it blames the IObit for his hack and persuades victims to make IObit pay 100,000 in Dero coins to decrypt everyone’s systems.