DeroHE Ransomware Distributed Through Fake IObit Downloads

January 31, 2021

In the news this week the software vendor IObit was the victim of a massive supply chain attack as well as a large social engineering campaign.  Many users received an email from IObit saying they were entitled to a free 1 year license of of IObit malware software. 

When the users clicked on the promo they download a legitimate copy of the software but embedded was a malicious file named IObitUnlocker.dll which if executed would start a ransomware campaign the end user’s device.  

Once the program is installed, it hides itself from Windows Defender, the built in antivirus solution by adding itself to the Windows Defender exclusion list.

WMIC – Exclude Instructions for Windows Defender

Once loaded, the ransomware would display a screen telling the user to wait for the program to load while at the same time setting up the ransomware payload.  After the payload is dropped and your files are encrypted, they will end in a .DeroHe file extension and they will include a link to an onion site instructing you to pay to decrypt your software. 

If you are a user of the iobits.com forums, I would strongly suggest you change your name and password. I’d also suggest you don’t visit the forum until they upgrade their forum software which is running a vulnerable version of vBulletin 5.6.1. This version of vBulletin is vulnerable to SQL Injection type attacks. 

https://www.acunetix.com/vulnerabilities/web/vbulletin-5-6-1-nodeid-sql-injection/

I know it is hard, but this is an example of when something is too good to be true.   Stay vigilant out their friends. 

Comments are closed.