Not even malware is hackproof, it appears:
Users tricked by spam messages to open malicious Word documents that distribute the Dridex online banking Trojan might have a surprise: they’ll get a free antivirus program instead.
That’s because an unknown person — possibly a white hat hacker — gained access to some of the servers that cybercriminals use to distribute the Dridex Trojan and replaced it with an installer for Avira Free Antivirus.
Good thing, right? But still against the law:
Although replacing known malware with an antivirus isn’t an activity most people would consider a hacking crime, it’s likely against the law in most countries. A whitehat hacker who figured out a way to penetrate Dridex servers and tamper with the malware distribution channel may have done so discreetly to prevent being detained or prosecuted by law enforcement authorities.
And of course there’s a worst-case scenario:
A competing theory is that Dridex operators intentionally included the AV installer, possibly to throw off the detection process of other AV engines.
Which might be plausible, since the installer does not actually autorun: the person receiving it has to run it manually.