A number of cybersecurity experts predicted at the end of the year that hackers will quickly learn lessons from the SolarWinds Orion supply chain hack to distribute malware. It seems they already have.
According to Bleeping Computer, there’s apparently been a compromise at a San Francisco-based software company named IObit, which makes Windows utilities. Just like the corruption of the SolarWinds update mechanism to install a backdoor in Orion, the update process in IObit has been manipulated to distribute ransomware.
Bleeping Computer says that over the weekend, users of the IObit forum began receiving emails claiming to be from the company saying users were entitled to a free one-year license to their software for being a forum member. The message includes an image of IObit products wrapped in a gift bow to convince readers of its authenticity. A link in that email went to a site that looked legitimate for downloading the zip file update.
However, the file included malware. The supposed licence extension even included digitally signed verification files from IObit. That’s the same way the SolarWinds hackers were able to get their malware to pass as an update for Orion. However, the malware in the IObit update was ransomware.
The site with the phony update has since been taken down. Bleeping Computer suspects that to create the fake promotion page and host a malicious download the attackers hacked IObit’s forum and gained access to an administrative account.
The response so far
Asked for comment on the report, Emma Chen of IObit said that on Jan. 17, the company found the attack through the bug on the IObit forum, which is built on a third-party platform. “We immediately closed the whole forum and updated our database to stop the spread of the ransomware. And for now, we are trying to build an IObit forum with a new and safer platform.”
IObit’s products include Advanced SystemCare 14 Pro for optimizing PCs; IObit Malware Fighter 8; Protect Folder and Password Generator.
Bleeping Computer says the ransomware strain is called DeroHE because it appends the .DeroHE extension to encrypted files.
After compromising Windows Defender with an infected DLL, the ransomware displays a message box claiming to be from IObit License Manager stating, “Please wait. It may take a little longer than expected. Keep your computer running or screen on!” That stops victims from shutting off their devices before the ransomware finishes.
When finished, a ransom note is displayed, asking for payment in a cryptocurrency called DERO to get the decryption key. There’s also a link to a Tor site the Tor site that says IObit can send US$100,000 in DERO coins to decrypt all victims.