Part of the distribution channel of the Dridex botnet may have been hacked, with malicious links replaced by installers for Avira Antivirus. As the Dridex operators are unlikely to be distributing an antivirus solution, the person making these changes might be a white hat hacker covering his tracks, say Avira researchers.
The Dridex botnet has roared back to life after its much talked-about takedown by the US authorities in late 2015. Dridex steals keylogs from infected computers and uses transparent redirects and webinjects to manipulate banking websites. Spread by malware-loaded spam, losses in Europe and the US are estimated in the tens of millions of Euro.
Dridex is spread by spam, usually containing a Word document with malicious macros. Once the file has been opened, the macros download the payload from a hijacked server, and the computer is infected.
But in this case, the server files have been modified. “The content behind the malware download URL has been replaced, it’s now providing an original, up-to-date Avira web installer instead of the usual Dridex loader,” stated Moritz Kroll, malware expert at Avira.
For the end computer user, instead of the Dridex malware that they would have received, they get a valid, signed copy of Avira.
The affair looks like it is straight off the pages of The Art of War where Sun Tzu wrote: “The whole secret lies in confusing the enemy, so that he cannot understand our real intent.”
“We still don’t know exactly who is doing this with our installer and why – but we have some theories,” said Kroll. “This is certainly not something we are doing ourselves.”
There are two basic theories for what is happening:
Theory 1. Cybercriminals are doing this to somehow upset Avira’s and other AV companies’ detection process. Kroll denied this was a possibility: “We don’t think that the malware guys would provide the Avira installer – they wouldn’t want to improve the protection level on their victims’ machines.”
Theory 2. A “white hat” hacker is at work – and wants to do this in private. “There is a possibility that a white hat has hacked into infected web servers using the same vulnerabilities the malware authors used in the first place and has replaced the bad stuff with the Avira installer,” explained Kroll. The hackers – if these are the persons making the changes – have an interest in remaining hidden. “While what they are doing is fundamentally helpful, it is also technically illegal in most countries, so they probably don’t want to be known or identifiable.”
The Avira installer has been added to CryptoLocker and Tesla ransomware in the past. “With CryptoLocker, the malware was in many, but not all cases, expecting CnC communication, so the executable would not be accepted and Avira could not be executed. And at that time, we saw that many of the changes were at one specific provider,” said Kroll. With Tesla, the motive behind including the Avira installer is still not clear.
According to Avira research, a partial list of financial institutions targeted by Dridex includes Barclays, Berliner Bank, BNP Paribas, Commerzbank, Credit Agricole, Deutsche Bank, HSBC, La Banque Postale, Natwest, Raiffeisen, RBS, Santander, Societegenerale, Sparda, Sparkasse, Ulsterbank, and Wells Fargo.