IObit forums hacked?

Discussion in 'other software & services' started by stapp, Jan 17, 2021.

  1. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    25,902
    Location:
    UK
  2. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,626
    I received the email and downloaded and ran the malware. Fortunately I realised that something was amiss right away and was able to terminate and remove the malware before any damage was done.

    It's a definite reminder of the need to always be very careful about what files you open. While I am always careful, in this case I was not careful enough. At least no damage was done and my system is clean now.
     
  3. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    25,902
    Location:
    UK
    @roger_m
    Good to hear that your system is clean now.
    As you say, it's a definite reminder to always be on your guard no matter what you level of computer experience you have.
     
  4. BigBear68

    BigBear68 Registered Member

    Joined:
    Mar 9, 2019
    Posts:
    71
    Location:
    United Kingdom
    I also received the email,but Gmail caught it and put it in spam,thats where its staying.
     
  5. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,565
    Hope the victims can get their files back.

    Also this is a good reason why having a good antivirus/computer security is important.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,643
    Location:
    U.S.A.
    Referring to the bleepingcomputer.com article, I wonder if the IObit forum was hacked or possibility a server hosting IObit user e-mail addresses.

    I am assuming that everyone that received this malicious e-mail was an IObit user? In other words, this was a targeted phishing attack making it all the more dangerous.

    Also a bit of common security sense goes a long way in this regard. I know of no security vendor that would attach an executable to an e-mail if this was the case. Also, many third party e-mail providers will not deliver e-mail with such an attachment.
     
    Last edited: Jan 18, 2021
  7. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    I would like to know what actor was behind this. It seems a bit sophisticated for a "regular" type of hack. It was engineered so well that even those with a good sense of security practices fell for it.

    The Bleeping Computer thread is still active, still some posts being made. There are still some reports of the IOBit site "acting a little funny." This is pretty interesting, but of course, probably not for those who got stung by it.
     
  8. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    25,902
    Location:
    UK
  9. guest

    guest Guest

    IObit forums hacked in widespread DeroHE ransomware attack
    January 18, 2021
    https://www.bleepingcomputer.com/ne...acked-in-widespread-derohe-ransomware-attack/
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,643
    Location:
    U.S.A.
    Per the above linked bleepingcomputer.com article, this is how the bugger bypassed Windows Defender:
     
  11. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
    you think it would make any difference had the user had hard_configurator/configuredefender on their system? i believe it would.
     
    Last edited: Jan 18, 2021
  12. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    I added this rule in OSArmor just now. Hopefully, it's enough.

    osawmic.PNG

    This is about as perfect an example you can get of how a third party software or two like OSA and/or H_C can seriously augment Defender.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,643
    Location:
    U.S.A.
    This wouldn't have stopped this attack.

    Attacker used WMIC to add the WD exclusions. I don't believe any process was spawned from WMIC to accomplish this. Direct monitoring of WMIC execution via a HIPS for example, would have alerted to the nefarious WMIC activity. However, one would have to examine what was shown in the WMIC alert to determine this.

    Ref.: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.

    Appears Group Policy can lockdown which WD settings can be modified via WMI.
     
    Last edited: Jan 18, 2021
  14. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    25,902
    Location:
    UK
    Apparently one of the people who experienced this used Kaspersky, which also said nothing.
    Of course at that time it wasn't listed on Virus Total.
     
  15. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,565
    Virustotal only says about signature protection. This experience says more about its zero-day protections
     
  16. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,626
    The file IObitUnlocker.dll is currently identified by 19 scanners when scanned at VirusTotal. However, it's worth noting that this ransomware is using a legitimate copy of IObit Unlocker to launch the attack. The IObit License Manager.exe file is the actual IObit Unlocker exe file. The file IObitUnlocker.dll has been replace with malware, meaning that malware runs when you open IObit License Manager, rather than IObit Unlocker.

    There's two other files, IObitUnlocker.sys and IObitUnlockerExtension.dll, which are also the original ones.
     
  17. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,118
    Location:
    DC Metro Area
    Does Kaspersky have a roll-back function?

    If so, shouldn't Kaspersky have protected despite no signature ??
     
  18. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,118
    Location:
    DC Metro Area
  19. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    25,902
    Location:
    UK
  20. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,118
    Location:
    DC Metro Area
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,928
    Location:
    The Netherlands
    It really is weird, all of these big name AV's claim to offer zero day protection, but why couldn't they block this? Would be interesting to know if Win Def could have blocked it. And that's why I always keep saying it's best to combine AV's with specialized tools like HMPA, AppCheck or SpyShelter. This is a quite clever attack that could have fooled anyone.

    I'm also not sure if it would have helped, I do see that in the last freeware version of OSArmor there is a rule called "prevent WMIC from using process call create via cmdline''. But the real question should be: is it really this easy to add files to the Win Defender exclusions list, what the hell? But even if it wasn't scanned, shouldn't the behavior blocker step in? Probably not since it's cloud based and that's a serious weakness.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,643
    Location:
    U.S.A.
    It's still unclear how WMIC was used to set WD scanning exclusions for rundll32, temp directory, etc.. I don't beleive cmd.exe was deployed in this.

    If you enable OSA Advanced profile, it will detect rundll32.exe attempting to run a user space .dll. In most cases, like .dll execution is nefarious but there could be also valid reasons to do so. For example, nVidia graphics driver installers are famous for this. In this case however, I assume rundll32.exe was running the .dll containing the ransomware from a runonce registry key. Again, this type of run activity is usually malicious but not always.

    Also assume we don't have all the details in this attack. Once the hacked IOBit installer completed execution, it could have displayed an alert to reboot to complete the installation; common in security software installations. An OSA alert of rundll32.exe running an IOBit related .dll at subsequent reboot would then be viewed OK and related to the installation process.
     
    Last edited: Jan 20, 2021
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,643
    Location:
    U.S.A.
    A couple of other web comments I saw related to this attack.

    A Kaspersky user stated he was nailed by it. Another user stated he was able to stop the ransomware activity w/o serious damage because the ransomware started encrypting files first on his non-OS installation hard drives. Makes one believe that Kaspersky's ransomware "behavior detection" is conditioned to non-LOLbins process activity. And/or LOLbin ransomware activity that immediately starts encryption on boot drive default protected files.
     
  24. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,626
    It's because no antivirus, no matter how good it is claimed to be, provides 100% protection. Any of the better antiviruses provide zero day protection via behaviour blocking and other techniques, but this is never foolproof.

    In my case, although I didn't realise it right away, a lot of my files were encrypted. It's a shame my antivirus failed to detect this. But as always, I don't depend on antivirus software to protect me. My main line of defence is keeping my system updated and being careful about what files I open. In this case, I should have taken more care. However, in order to be better protected, I have now installed the excellent WiseVector StopX, alongside 360. 360 Total Security has a performance mode, which lets you use it alongside another antivirus, so I have enabled that.
     
  25. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,961
    Location:
    USA
    I'm running HitmanPro.Alert, which looks to me like it might have a decent chance against this ransomware threat.

    https://www.hitmanpro.com/en-us/alert.aspx
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.