Part of the distribution channel of the Dridex banking Trojan botnet may have been hacked, with malicious links replaced by installers for Avira Antivirus.

Avira reckons the pwnage is down to the work of an unknown white hat hacker.

The Dridex botnet has remains a menace even after a high profile takedown operation in late 2015. Malicious code used to seed Dridex typically comes in the form of spam messages with malicious attachments, often a Word document embedded with malicious macros.

Once the file has been opened, the macros download the payload from a hijacked server, and the computer is infected. Dridex creates a key-logger on infected computers as well as using transparent redirects and webinjects to manipulate banking websites.

But the recent hack means part of the botnet has been requisitioned to quite different ends. “The content behind the malware download URL has been replaced, it’s now providing an original, up-to-date Avira web installer instead of the usual Dridex loader,” explained Moritz Kroll, a malware expert at Avira.

The end result is that instead of the Dridex malware that they would have received, victims get a valid, signed copy of Avira instead.

“We still don't know exactly who is doing this with our installer and why – but we have some theories,” said Kroll. “This is certainly not something we are doing ourselves.”

One possible, though unlikely, explanation is that cybercrooks are distributing anti-malware software, essentially to mess with the head of security firms and perhaps throw them off their game. A more likely scenario is that a white hat hacker has taken over botnet control systems and is in the process of trolling VXers.

“A whitehat may have hacked into infected web servers using the same vulnerabilities the malware authors used in the first place and has replaced the bad stuff with the Avira installer,” explained Kroll, adding that (whatever their motivations) these types of actions would be illegal in many countries.

The whole curious incident is not without its precedents. The Avira installer has been added to CryptoLocker and Tesla ransomware in the past. “With CryptoLocker, the malware was in many, but not all cases, expecting CnC communication, so the executable would not be accepted and Avira could not be executed. And at that time, we saw that many of the changes were at one specific provider,” said Kroll.

With Tesla, the motive behind including the Avira installer is still unclear. ®