The Dridex banking trojan that is widely being used by cyber criminals to distribute malware onto users' machines has now been found distributing a security software.

A portion of the Dridex banking Trojan botnet may have been hacked or compromised by an unknown Whitehat Hacker, who replaced the malicious links with Avira Antivirus installers.

What is Dridex Banking Trojan? How it Works?

Dridex malware – also known as Bugat and Cridex – is believed to have been created by cyber criminals in Eastern Europe in an effort to harvest online banking details. Even after a high-profile takedown operation in late 2015, the Dridex botnet seems to be active again.

The Dridex virus typically distributes itself through spam messages or emails that include malicious attachments, most often a Microsoft Office file or Word document integrated with malicious macros.

Once the malicious file has been clicked, the macros download and install the main payload of the virus – the trojan program itself – from a hijacked server, which installs and runs on the victim's computer.

The Dridex trojan program then creates a keylogger on the infected machine and manipulates banking websites with the help of transparent redirects and web-injects.

This results in stealing victim's personal data like usernames and passwords, with an ultimate aim to break into bank accounts and siphon off cash.

Hacker replaces Trojan with Anti-virus

However, the recent Hack Surprises: Instead of distributing banking trojan, a portion of the Dridex botnet currently seems to be spreading legitimate copies of the free anti-virus software from Avira, as the company has announced itself.

"The content behind the malware download [link] has been replaced, it is now providing [a legitimate], up-to-date Avira web installer instead of the usual Dridex loader," explained Avira malware expert Moritz Kroll, reported Reg.
Avira believes that the white hat hacker or hackers may have hacked into a portion of infected web servers using the same flaws the malware authors used and then replaced the malicious code with the Avira installer.

So, once infected, instead of receiving Dridex malware, the victims get a valid, signed copy of Avira antivirus software.

"We still don't know exactly who is doing this with our installer and why – but we have some theories," said Kroll. "This is certainly not something we are doing ourselves."

Although the motives behind including the Avira software is still unclear, these kinds of actions are considered to be illegal in many countries, said Kroll.

What can be done to protect From Malware Attacks?

The guidance for preventing yourself from being a part of the Dridex Banking Trojan botnet is:
  • Ensure you have an updated antivirus program running on your PC, which should be able to intercept the malicious attachments before they are opened.
  • One of the best measures for securing your online environment is to deploy an Intrusion Detection System (IDS) at the network layer, which is especially useful to quickly detect malware and other threats in your network when integrated with a real-time threat intelligence and SIEM (Security Intelligence and Event Monitoring) solution, such as AlienVault Unified Security Management (USM).
  • Be careful of opening email attachments sent from an unknown email address, particularly (in this case) Microsoft Word and Excel files.
  • Disable Macros in MS Office, or at least set the Macros to request permission before they run.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.