Part of the Dridex botnet distribution channel was infringed by an unknown Trojans replaced by Avira Antivirus installers!
The Dridex botnet remains an active threat, even after an attempt to remove it at the end of 2015.
Ο maliciousς κώδικας που διανέμεται από το Dridex έρχεται συνήθως με τη μορφή spam μηνυμάτων που περιέχουν κακόβουλα συνημμένα αρχεία. Τα αρχεία που χρησιμοποιούνται συχνότερα, είναι τα έγγραφα του Word με ενσωματωμένες κακόβουλες μακροεντολές.
Once the victim opens the file, the macros download the malicious software from a remote server. Dridex creates a keylogger on infected computers, and using transparent redirects and webinjects manages to bypass codes from bank sites.
But the recent botnet hack was done for very different purposes.
“The malware's download URL software has been replaced, with a link leading to an updated Avira antivirus installer," explained Moritz Kroll, Avira's malware expert.
So instead of malware, the victims download a valid, signed copy of Avira's protection software.
"We do not know exactly who did it and why - but we do have some theories," Kroll said.
A possible explanation is that someone White Hat hacker managed to take over the botnet's control systems, and changed the malicious URLs to those of Avira.