Unknowns have pwned the Dridex botnet and are using it to spread a legitimate copy of the Avira Antivirus software instead the malicious payload.

This story is very intriguing, someone has hacked a portion of the dreaded Dridex botnet and replaced malicious links with references to installers for the Avira Antivirus. The Antivirus company denies any involvement and speculate the involvement of an unknown white hat hacker.

Spam campaigns relying on the Dridex malware are threatening banking users across the world despite the operations conducted by law enforcement on a global scale. We left Dridex malware spreading across the Europe, in particular targeting the customers of the banks in the UK. In October, the NCA has uncovered a series of cyber attacks based on a new strain of the Dridex banking trojan that allowed crooks to steal £20m in the UK alone.

d1

Now Dridex is once again in the headlines, spam emails containing the famous malware are continuing to target netizens despite the arrest of one of its botmasters in August.

In October the experts at Palo Alto Networks confirmed that the overall volume of Dridex emails peaked nearly 100,000 per day, the campaign rapidly reached 20,000 emails, mostly targeting emails accounts in the UK.

Spam messages often include malicious Word documents embedded with macros, when victims open the macros download the Dridex payload from a hijacked server. Dridex is a banking trojan that relies on web injection to manipulate banking websites and use a keylogger component to monitor victim’s activity.

Now someone has pwned the Dridex botnet and is using it to spread a legitimate Antivitus software instead the malicious payload. Despite the noble intent, even the action of this unknown is illegal because he is spreading an installer on the victims’machine without their consensus.

“The content behind the malware download URL has been replaced, it’s now providing an original, up-to-date Avira web installer instead of the usual Dridex loader,” explained Moritz Kroll, a malware researcher at Avira.

“We still don’t know exactly who is doing this with our installer and why – but we have some theories,” said Kroll. “This is certainly not something we are doing ourselves.”

“A whitehat may have hacked into infected web servers using the same vulnerabilities the malware authors used in the first place and has replaced the bad stuff with the Avira installer,” added Kroll.

Avira was involved in a similar case in the past when the installer has been included into the CryptoLocker and Tesla ransomware.

Pierluigi Paganini