khairulaizat92 9 Posted January 19, 2021 Share Posted January 19, 2021 News from Bleeping Computers: https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/ Personal Note: Man that nasty, if eset forum is hacked, and i got this type of email, im surely gonna be tricked. Anyway, when i checked at virus total, eset still not update the dll detection yet. I wonder if in the real time it already been added to the detection? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted January 19, 2021 Administrators Share Posted January 19, 2021 The malicious dll is already detected. VT uses an on-demand scanner which relies on engine updates. Moreover, there may be a delay of one hour after the engine update before VT reports current scan results. iobit.dll - a variant of WinGo/Filecoder.DeroHE.A trojan Also I can assure you that we take security seriously and have always taken measures to harden the forum against attacks. khairulaizat92 1 Link to comment Share on other sites More sharing options...
itman 1,748 Posted January 19, 2021 Share Posted January 19, 2021 (edited) The main thing to know about this attack was Windows Defender was bypassed since the malware created exclusions in WD to allow its malicious .dll to run undetected. Kapersky also didn't stop files being encrypted by the ransomware portion of the attack. Per a malwaretips.com poster: Quote Kaspersky did not react in any way, except for the notification about attempts to go online the tor.exe files in temp directory. Waiting until someone does a detailed analysis on this puppy. Edited January 19, 2021 by itman khairulaizat92 1 Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted January 20, 2021 Most Valued Members Share Posted January 20, 2021 Those are the links of the ZIP Archive and DLL file https://www.virustotal.com/gui/file/2138091055ad48988e5b94a6ca95663ef715dbd36893e59d71269318bcf7aeb5/detection https://www.virustotal.com/gui/file/976af19ce19cd9dc4ff6fd7cb580c16fac25c046ad9fd529bf50451db6032727/detection And according to BleepingComputer , The forum was breached through that vulnerability : https://www.acunetix.com/vulnerabilities/web/vbulletin-5-6-1-nodeid-sql-injection/ Link to comment Share on other sites More sharing options...
itman 1,748 Posted January 20, 2021 Share Posted January 20, 2021 (edited) Elaborating on this attack, the details are as follows. The IOBit forum website was compromised by an attacker who gained admin access to the site. This allowed him to harvest e-mail addresses of forum users and plant a malicious download from the forum web site. The attacker then sent e-mails to IOBit forum users which stated they were the winners of a free one year license to an IOBit security product. At this point note that the e-mail would appear legit since the sender's address was legit. The following are excerpts from the bleepingcomputer.com article. Quote Included in the email is a 'GET IT NOW' link that redirects to hxxps://forums.iobit.com/promo.html. This page no longer exists, but at the time of the attack, it was distributing a file at hxxps://forums.iobit.com/free-iobit-license-promo.zip. This zip file [VirusTotal] contains digitally signed files from the legitimate IObit License Manager program, but with the IObitUnlocker.dll replaced with an unsigned malicious version shown below. When IObit License Manager.exe is executed, the malicious IObitUnlocker.dll will be executed to install the DeroHE ransomware to C:\Program Files (x86)\IObit\iobit.dll [VirusTotal]and execute it. The ransomware iobit.dll noted above was copied to a WinLogon autorun entry (assumed we are referring to the registry runonce key) and executed the next time the user logged on to his device. Quote When first started, the ransomware will add a Windows autorun named "IObit License Manager" that launches the "rundll32 "C:\Program Files (x86)\IObit\iobit.dll",DllEntry" command when logging in to Windows. This is a classic example of a targeted e-mail phishing attack enhanced by added e-mail legitimacy from a trusted e-mail sender and a download from the same trusted source web site. The only way this could have been prevented other than not accessing the e-mail link, performing the download, and executing the download, would have been to inquire on the IOBit forum web site if this promo was indeed legit. That is to have performed a "two-factor authorization." Also and important is that it is not standard practice to host a software download from a forum or like web site. This would only be done via direct request from a forum moderator for problem resolution, etc. and even then, the download is from a non-forum source. Edited January 20, 2021 by itman Link to comment Share on other sites More sharing options...
itman 1,748 Posted January 20, 2021 Share Posted January 20, 2021 (edited) Since there have been past complaints about Eset blocking IOBit web sites and software to boot, note the following also from the bleepingcomputer.com article. Obviously, the attacker used this vulnerability to exploit the IOBit web site. Quote Updated 01/19/20: A security researcher known as Ronny told BleepingComputer IOBit is using vBulletin 5.6.1 for their forum software. This version of vBulletin has a known vulnerabily that allows remote attackers to gain control over the forum. Edited January 20, 2021 by itman Link to comment Share on other sites More sharing options...
Lockbits 10 Posted January 21, 2021 Share Posted January 21, 2021 On 1/19/2021 at 9:08 AM, Marcos said: The malicious dll is already detected. VT uses an on-demand scanner which relies on engine updates. Moreover, there may be a delay of one hour after the engine update before VT reports current scan results. iobit.dll - a variant of WinGo/Filecoder.DeroHE.A trojan Also I can assure you that we take security seriously and have always taken measures to harden the forum against attacks. Hi Marcos, just for curiosity. Why this signature is WinGo and not Win32/64? Thank you Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted January 21, 2021 Administrators Share Posted January 21, 2021 3 hours ago, Lockbits said: Hi Marcos, just for curiosity. Why this signature is WinGo and not Win32/64? Because it's written in Go language. Link to comment Share on other sites More sharing options...
Recommended Posts