An unknown person- possibly a white hat hacker, gained access to Dridex Trojan servers and replaced malicious links with Avira Antivirus installers. But, Avira’s researchers say that they have no idea who did this.
“The content behind the malware download URL has been replaced. It’s now providing an original, up-to-date Avira web installer instead of the usual Dridex loader. We still don’t know exactly who is doing this with our installer and why, but we have some theories. This is certainly not something we are doing ourselves,” said Moritz Kroll, an Avira malware expert.
Recommended for you: Beware Netizens! New Virus on Prowl on Social Sites
What is Dridex Banking Trojan?
The Dridex banking trojan is used by cyber criminals to distribute malware and target online banking users. It is also known as Bugat and Cridex, and have been created by cyber criminals in Eastern Europe. It distributes itself through spam emails or messages that include malicious attachments, usually a Microsoft Office file embedded with malicious macros.
Once this file is clicked, the macros download and install the virus from hijacked server. After this, Dridex trojan program creates a keylogger on infected device and manipulates banking websites with the help of transparent redirects. All this results in stealing victim’s personal data with an aim to break into bank accounts.
However, after the hack, Dridex botnet was found spreading free anti-virus software instead of banking trojan.
How to protect your device from this type of malware attack?
The steps to prevent your device from being infected from Dridex banking trojan botnet are:
- Ensure that you have updated antivirus program with potential to intercept the malicious attachments before they are opened
- Be careful of opening attachments received from unknown email address, particularly Excel files and Microsoft Word
- Disable Macros in MS office
Interestingly, this is not the first time something like this happens. In the past, Avira was distributed from the hacked servers for CryptoLocker and Tesla ransomware, and true story is not known till date.