14 DAY TRIAL // An unknown white hat hacker has hijacked the Dridex botnet and is now delivering a copy of Avira Free Antivirus instead of the original trojan specialized in banking operations.
Avira researchers discovered this a few days back and said they are not behind it in any way.
Dridex is one of the most successful botnets of all time, making tens of millions of dollars, but most of its activity died down after one key member was arrested in Paphos, Cyprus, after trying to cheat a bank for $3.5 million / €3.12 million.
Dridex uses spam and malicious Word documents to spread around
Prior to this incident, Dridex's normal mode of operation relied on spam emails that contained malicious Word documents. When downloading and opening these files, users would be asked to enable a Word feature called "Macros."
Macros allow Word (and other Office applications) to launch a series of automated operations. In this case, the malicious Word file was downloading and installing the Dridex botnet.
Dridex, which works by injecting fake content in your Web pages and stealing banking credentials, heavily relied on these Word macros to download the trojan and install it.
Somebody might have hijacked Dridex's C&C server
Starting a few days back, these Word macros, which were downloading the trojan by contacting a C&C (command and control) server, are now receiving the Avira antivirus instead.
Chances are that someone hacked the C&C servers, and redirected all incoming download requests to a new file: the Avira antivirus. It is not uncommon for C&C servers to get hacked. Cybergangs do it to each other and often hack and hijack their adversaries' botnets to bolster their own.
Having a white hat hacker do it instead reminds of the Linux.Wifatch incident from last October, when a group of white hat hackers calling themselves The White Team have created a malware family that infects vulnerable IoT devices and then tries to improve their defenses.
"We still don’t know exactly who is doing this with our installer and why – but we have some theories," said Moritz Kroll, malware expert at Avira. "This is certainly not something we are doing ourselves."