The practice of hacking malware botnets and then replacing their payloads with pro-user content is starting to become the norm, with another of these incidents being reported by the team from.
The company says that one of its security researchers stumbled upon a weird sample coming from the server network (botnet) from which most of the Locky ransomware-carrying spam is sent out.
This time around, the F-Secure researcher, named Päivi, discovered that, instead of Locky, this file was downloading something different, also launching it into execution.
It appears that someone hacked the Locky distribution network and replaced the Locky ransomware payload with a benign file that showed a simple popup warning users not to open email attachments from untrusted sources (screenshot below).
“You are reading this message because you have opened a malicious file,” the popup reads. “For your safety, don’t open unknown emails attachment.”[sic]
Something like this happened before last February, when somebody hacked the Dridex botnet to deliver a version ofinstead of the Dridex banking trojan, and then again last month with the Locky network, when someone replaced the ransomware with an empty file that read “ .”