Windows utility developer IObit was targeted in a widespread attack that distributed the strange DeroHE ransomware to its forum members.
IObit forum members began receiving emails claiming to be from IObit stating that they are entitled to a free 1-year license to their software as a special perk of being a forum member.
It also included a 'GET IT NOW' link that redirects to hxxps://forums.iobit.com/promo.html which was meant to distribute a zip file.
This zip file [VirusTotal] contained digitally signed files from the legitimate IObit License Manager program, but with the IObitUnlocker.dll replaced with an unsigned malicious version.
Those who executed, the malicious IObitUnlocker.dll installed the DeroHE ransomware to C:\Program Files (x86)\IObit\iobit.dll [VirusTotal].
According to the reports, this was a widespread attack that targeted all forum members.
TPRM report: https://scoringcyber.rankiteo.com/company/iobit
"id": "iob2036251122",
"linkid": "iobit",
"type": "Ransomware",
"date": "01/2021",
"severity": "75",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': ['IObit Forum Members'],
'industry': 'Software Development',
'name': 'IObit',
'type': 'Company'}],
'attack_vector': ['Phishing Email', 'Malicious Link', 'Malicious DLL'],
'description': 'Windows utility developer IObit was targeted in a widespread '
'attack that distributed the DeroHE ransomware to its forum '
'members.',
'initial_access_broker': {'entry_point': 'Phishing Email'},
'motivation': ['Financial Gain'],
'ransomware': {'ransomware_strain': 'DeroHE'},
'references': [{'source': 'VirusTotal'}],
'title': 'IObit Forum Ransomware Attack',
'type': 'Ransomware Attack'}