Someone hijacked the Dridex botnet to deliver Avira AV’s installer

After last September’s arrest of an alleged member of the gang that has been developing and spreading the Dridex banking malware, and last October’s temporary disruption of the Dridex botnet at the hands of UK and US law enforcement, the criminal group is experiencing problems again.

Someone – a white hat hacker, by the looks of it – has managed to compromise the server from which the malware is downloaded to the victims’ computer, and swap the Dridex loader with an original, up-to-date Avira web installer.

So when the users open the spam email, download the attached Word document with malicious macros, and open it, instead of being hit with malware they get extra protection.

“We still don’t know exactly who is doing this with our installer and why – but we have some theories,” says Moritz Kroll, malware expert at Avira “This is certainly not something we are doing ourselves.”

Another possible theory is that the criminals did this themselves in an attempt to interfere with Avira’s and other AV companies’ detection process, but that seems very unlikely. Why would they want to increase the safety of potential targets’ machines?

Interestingly enough, this is not the first time that the Avira installer has been added to malware. At one point in time, both the Cryptolocker and Tesla ransomware included the Avira installer. In both cases, the why of it is unclear.