Evil Corp. -- the criminal hacking group that owns and operates the especially nasty Dridex banking Trojan -- may have run into a Batman of sorts on the Internet.
Someone or some group appears to have disrupted at least part of the channel that distributes the malware and replaced the malicious links with installers for an antivirus tool instead. Basically, the server files behind the Dridex download URL in some locations have been swapped with original, up-to-date versions of the Web installer for Avira antivirus, according to Avira Operations, the German company that makes the software.
So users who click on malicious links distributed by the affected download locations get Avira’s antivirus tool instead of the banking Trojan. Whoever is behind the deed has apparently been leaving a calling card of sorts on the compromised Dridex sites, with somewhat cryptic references to "owner," "pwner,"and "host," Avira said in a statement on the development.
Avira says that it is not behind the caper and is unsure why the online do-gooder may have chosen its product to defend potential victims of the banking Trojan.
“We think it’s the Batman philosophy and way of life--help people, doing the right stuff with maybe not-so-legal methods,” says Moritz Kroll, malware expert with Avira. “I really think it is a hacker who has discovered how to do a good thing but perhaps with not strictly legal methods.”
Dridex is a banking Trojan that originally began spreading in 2014 and has since stubbornly resisted all efforts to eradicate it. It's typically distributed as a malicious attachment—often a Word document with malicious macros—in spam email.
When the document is opened, the macros download Dridex from a remote server, which often has been previously compromised as well. Once installed on a computer, Dridex basically waits until the user attempts to log into certain banking websites. Dridex currently targets customers of a growing list of major, mostly European, banks including Barclays, Santander, RBS, HSBC, Deutsche Bank, and Wells Fargo.
When a Dridex victim attempts to log into any of these banks, the malware quickly intercepts the communication and redirects the user to a spoofed Web page designed to look exactly like the actual banking website. The goal is to steal the account log-in details so the criminals can conduct fraudulent transactions on the account.
Dridex and its operators have grabbed the attention of security researchers and law enforcement for their persistence. There was considerable elation last October when the FBI and law enforcement in the UK took down several of the servers and botnet infrastructure being used to distribute the Trojan. But it didn’t take long for the malware to reemerge and continue with its campaign. IBM and others recently warned about an intensification of attacks involving Dridex.
But the appearance of Dridex download sites serving up Avira antivirus suggests that someone is trying to disrupt the malware campaign, even if not in a strictly legitimate way.
“If you think about it, there was a huge media announcement when Dridex was taken down by the government authorities and a much smaller level of reporting on its return to the marketplace,” Kroll says. “That has got to be frustrating to some and might cause them to think, ‘the government tried to take it down, they could not, I can do something myself.'"
This is not the first time that an apparent online vigilante has stepped in to try and disrupt a malware operation. Last October, Symantec reported on a software tool, that it dubbed Linux.Wifatch, being used to silently secure improperly protected home routers and Internet connected devices.
Symantec described Wifatch as malware with hardcoded routines that appeared designed to harden compromised devices and to detect and remove any malware that might be present on them. The security vendor estimated that a white hat hacker or hackers had silently installed Wifatch on potentially tens of thousands of home routers in an apparent bid to protect the devices against malware.
“Someone went in, patched the security holes, then added a backdoor whereby the routers could receive regular updates of some signatures for detecting malware on these systems,” Kroll says, referring to Wifatch.
Avira started as a free antivirus company and still largely remains that way, although it offers a premium version of the software as well.