IObit Forum Members Targeted with Phishing Emails

Summary

IObit, a Windows systems software development company known for optimization utilities and anti-malware programs, was compromised and exploited in order to deploy the DeroHE ransomware. IObit forum members were targeted via a phishing email that offered a free one-year license to the developer’s software. The enclosed link redirected recipients to a ZIP file hosted on an IObit forum page that contained digitally signed files from the legitimate IObit License Manager program; however, the IObitUnlocker.dll has been replaced with an unsigned malicious version. If the ZIP file is downloaded, DeroHE ransomware is installed. Researchers determined that the forums still appear to be compromised, with some 404-error and “not found” pages pushing adult content web advertisements. At the time of this writing, there is no known decryption tool for DeroHE ransomware.

Recommendations

The NJCCIC recommends users avoid clicking on links or opening attachments found in unsolicited emails or messages that convey a “too good to be true” offer. Additionally, users are urged to avoid IObit forum webpages until the compromise is contained. Further reporting may be found in the Bleeping Computer article and additional ransomware mitigation strategies can be found in NJCCIC’s Technical Guide.