IOBit forum hacked?

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/forums/t/741190/help-iobit-forum-hacked-free-1-year-license-malware-link-sent-to-hundreds/

A few weeks ago, I registered to the IOBit Software Support Forums to report a bug in their software. Yesterday, I received an email (appearing to be) from them awarding forum members "a free 1-year license" with download link.

I'm usually a tech savvy guy and know better to download/run strange software, but everything looked legit (email address, artwork, link on their URL), so I downloaded the "freebie" patch that all alleged to register my IOBit software.

Hours later, my computer was completely trashed. Fortunately, I backup my boot drive every month and was able to get a working system again, but the damage the malware did was extensive and I need help recovering.

The malware went through my computer and changed the extension of over 121K files to ".DeroHE". Worse, it either corrupted the headers of those files or they are only fragments of files.

Text files are no problem. Simply change the extension to ".txt". But thousands of other files were not only renamed, but the file type was stripped from the header (bmp, ico, png, jpg, zip, rar, pdf... you name it. Trashed.) Trashed files can't be even be identified by examining the header in "Notepad++". Source code files belonging to my "Visual Studio" projects also trashed. The damage (and possible loss) is extraordinary.

And "Windows Defender" missed it all.

To recover from this disaster, I need two things: A utility that can identify/fix the now unidentifiable files, and a program that can find & rename every file whose extension was changed (preferably one program that can do both.) Do you know how long it would take to go through 121K+ files by hand, identify them (if possible) and rename them? Just the text messages alone would take ages.
I'm beyond pissed. Even the "IOBit" website appears to be down as I tried to report the problem (either hacked or they took it down themselves till they remedy the hack.)

 

[Lightning_Brian]

Woooweee... Now that sounds like a awful experience there. Perhaps another reason I should stay away from IOBit? Yikes!

Glad you posted this for others to get a FYI and gain knowledge @Gandalf_The_Grey ! Bleeping Computer is a great website.

~Brian

 

[upnorth]

Seems both the main site and the forum works, again?

Sounds to me more like a case of accidentally click and download from a source in the email that wasn't IObit.

 

[FireHammer]

Sounds really awful, I am very sorry this should blowback on you, you are in my thoughts @Gandalf_The_Grey.

 

[plat]

FireHammer said: Sounds really awful, I am very sorry this should blowback on you, you are in my thoughts @Gandalf_The_Grey.

I don't think it was Gandalf_The_Grey personally, lol. Sounds anecdotal. It's a cry for help actually, in the BC ransomware removal forums.

I looked there, there are 34 users reading the thread, that's a LOT, right?

Spoiler

 

[FireHammer]

I don't think it was Gandalf_The_Grey personally, lol. Sounds anecdotal. It's a cry for help actually, in the BC ransomware removal forums.

I looked there, there are 34 users reading the thread, that's a LOT more than usual, if you ask me.

Spoiler

View attachment 253075

Oh silly me, sorry I misunderstood

 

[Gandalf_The_Grey]

It wasn't me, but it never hurts to warn.
Could well be like @upnorth said a case of accidentally click and download from a source in the email that wasn't IOBIT.
But the post from @Trismer indicates there could be a problem.
That's why there is a question mark in the title.
There are a lot of spam mails these days.
Just don't open an unexpected gift from IOBIT.

 

[upnorth]

If someone wants to research a sample, perhaps with a premium on any.run, write me your mail in pm, I will forward it to you for research.

Nope thanks as the main topic is about the IObit forum and it's main site. That people gets all sort of malware in their mail is no automatic proof. I rather close this thread if it starts to get too much of speculation.

 

[upnorth]

That, is way too little evidence that it actually came from IObit and that IObits forum and main site was/is hacked. Spoofing email addresses is way too common among spammers/scammers. Those files also looks like a very typical crack share so I wouldn't be surprised if they where malicious.

Hi

Thanks for your feedback.

We don't have such an offer. It is a scam! Please do not click any link or download button in it.

We've forwarded it to our relevant team and will solve it asap.

Thanks again.

https://forums.iobit.com/forum/advanced-systemcare/advanced-systemcare-14/232221-1-year-licence-one-virus?p=232224#post232224

 

[upnorth]

Update!

IObit forums hacked to spread ransomware to its members

Windows utility developer IObit was hacked over the weekend to perform a widespread attack to distribute the strange DeroHE ransomware to its forum members.

www.bleepingcomputer.com

Thanks btw @Gandalf_The_Grey for sending me more information. Much appreciated.

Kaspersky already has an assessment on the 2 reported .js files. Adware. I'm waiting for 2 more vendors and will add that info as soon I have it.

vBulletin 5.6.4 is now available for Download. - vBulletin Community Forum

<h1>vBulletin 5.6.4 Updates and Changes</h1> <p>vBulletin 5.6.4 is now available for download. vBulletin Cloud customers will be updated automatically in the upcoming days.</p> <h2>Front End Changes</h2> <h3>Lightbox</h3> <p>The attachment system now uses the Lightbox

forum.vbulletin.com

Spoiler: IObit forum software version