The Dridex banking trojan that is widely being used by cyber criminals to distribute malware onto users' machines has now been found distributing a security software.





Dridex banking Trojan botnet may have been hacked or compromised by an unknown Whitehat Hacker, who replaced the malicious links with Avira Antivirus installers. A portion of themay have been hacked or compromised by an unknown Whitehat Hacker, who replaced the malicious links withinstallers.





What is Dridex Banking Trojan? How it Works?





Dridex malware – also known as Bugat and Cridex – is believed to have been created by cyber criminals in Eastern Europe in an effort to harvest online banking details. Even after a high-profile takedown operation in late 2015, the Dridex botnet seems to be active again.

The Dridex virus typically distributes itself through spam messages or emails that include malicious attachments, most often a Microsoft Office file or Word document integrated with malicious macros.





Once the malicious file has been clicked, the macros download and install the main payload of the virus – the trojan program itself – from a hijacked server, which installs and runs on the victim's computer.





The Dridex trojan program then creates a keylogger on the infected machine and manipulates banking websites with the help of transparent redirects and web-injects.





This results in stealing victim's personal data like usernames and passwords, with an ultimate aim to break into bank accounts and siphon off cash.





Hacker replaces Trojan with Anti-virus





However, the recent Hack Surprises: Instead of distributing banking trojan, a portion of the Dridex botnet currently seems to be spreading legitimate copies of the free anti-virus software from Avira, as the company has announced itself.





"The content behind the malware download [link] has been replaced, it is now providing [a legitimate], up-to-date Avira web installer instead of the usual Dridex loader," explained Avira malware expert Moritz Kroll, reported Reg.

Avira believes that the white hat hacker or hackers may have hacked into a portion of infected web servers using the same flaws the malware authors used and then replaced the malicious code with the Avira installer.





So, once infected, instead of receiving Dridex malware, the victims get a valid, signed copy of Avira antivirus software.





"We still don't know exactly who is doing this with our installer and why – but we have some theories," said Kroll. "This is certainly not something we are doing ourselves."





Although the motives behind including the Avira software is still unclear, these kinds of actions are considered to be illegal in many countries, said Kroll.





What can be done to protect From Malware Attacks?





The guidance for preventing yourself from being a part of the Dridex Banking Trojan botnet is: