Banking malware Dridex has been active for several years, dropping onto victim computers via malicious Word attachments and grabbing financial information. But now there’s a twist: According to CSO Online, some malware’s command-and-control (C&C) servers have been repurposed to send out different code — an up-to-date, free antivirus program. Is this the first step toward beating back banking malware?

Dridex Maintains Its ROI

Authorities haven’t been ignoring this malware: A high-profile takedown operation in 2015 disrupted many servers and indicted a Moldavian man for a portion of these Trojan attacks. The problem? In just a few months, the malware was back at full strength.

As noted by a January 2016 piece from PCWorld, Dridex even added a few new features, such as DNS cache poisoning. Once infected, victim computers would be directed to fake banking sites even if the legitimate domain name is typed into the browser.

The malware-makers recreated 13 of the U.K.’s most popular bank websites to convince users they’d landed on the real page, putting them at ease to enter login information or even SMS codes sent by their actual bank.

Even worse? Banks had no idea the fraud was occurring since their websites were never involved. For Dridex distributors, it seems, the government takedown had little effect on their ROI and spurred the adoption of new, more aggressive features.

A New Approach

With Dridex back in full force — and, as noted by Graham Cluley, also leveraging JavaScript attacks in email attachments purportedly coming from toilet hiring services — it makes sense that white-hat hackers would feel a measure of frustration. After all, the concerted government effort barely dented the malware campaign.

As noted by The Register, however, something strange happened: Some victims are getting a full install of Aviva Antivirus instead of Dridex. While it does require users to accept and manage the installation, it’s a strange step in the right direction — one that no agency or government is claiming as its own.

Moritz Kroll of Aviva said it’s not his company distributing the product, and although there’s some speculation that Dridex creators might be behind the change in an effort to make their package more difficult to detect, the prevailing theory is that white-hat hackers have taken it upon themselves to solve an obvious issue.

It’s not a complete solution, and there’s no way to predict if users will get the infected or the antivirus file, but it’s interesting to see a turning of tables. Proof positive, in other words, that a great defense starts with a good offense.

More from

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

OneNote, Many Problems? The New Phishing Framework

There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes.Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued.While this novel notes approach will eventually be phased out as phishing defenses catch up, current conditions…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

LastPass Breaches Cast Doubt on Password Manager Safety

In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers.A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords for…