Emotet malware is now distributed through malicious Windows App Installer packages which claim to be Adobe PDF software.
Emotet is a notorious malware infection that is spread through phishing emails and malicious attachments. Once installed, it will steal victims’ emails for further spam campaigns and deploy malware like TrickBot and Qbot which usually lead to ransomware attacks.
The threat actors behind Emotet are now infecting systems by installing malicious packages using a built-in feature of Windows 10 and Windows 11 called the App Installer.
Researchers have already seen this same method be used to distribute the BazarLoader malware where it installs malicious packages hosted on Microsoft Azure.
Abuse of Windows Application Installer
Using URLs and sample emails shared by Emotet tracking group Cryptolaemus, BleepingComputer shows the attack flow of the new phishing email campaign below.
This new Emotet campaign begins with stolen response chain emails that appear as a response to an existing conversation.
These responses simply tell the recipient to “Please see attachment” and contain a link to an alleged PDF related to the email conversation.
When the link is clicked, the user will be taken to a fake Google Drive page that prompts them to click a button to preview the PDF document.
This “PDF Preview” button is an ms-appinstaller URL that attempts to open an application installer file hosted on Microsoft Azure using URLs on * .web.core.windows.net.
For example, the above link would open an app installer package at the following example URL: ms-appinstaller:? Source = https: //xxx.z13.web.core.windows.net/abcdefghi .appstall.
An app install file is simply an XML file containing information about the signed publisher and the URL of the app that will be installed.
When you try to open an .appinstaller file, the Windows browser will ask you if you want to open the Windows App Installer program to continue.
Once you agree, an application installer window will appear prompting you to install the “Adobe PDF component”.
The malicious package looks like a legitimate Adobe application because it has a legitimate Adobe PDF icon, a valid certificate that marks it as a “trusted application” and false information about the publisher. This kind of Windows validation is more than enough for many users to trust and install the app.
Once a user clicks the âInstallâ button, App Installer downloads and installs the malicious appxbundle hosted on Microsoft Azure. This appxbundle will install a DLL in the% Temp% folder and run it with rundll32.exe as shown below.
This process will also copy the DLL as a randomly named file and folder to% LocalAppData% as shown below.
Finally, an autorun will be created under HKCU Software Microsoft Windows CurrentVersion Run to automatically launch the DLL when a user logs into Windows.
Emotet was the most widely distributed malware in the past until a law enforcement operation shut down and took over the botnet’s infrastructure. Ten months later, Emotet was resurrected as he began to rebuild himself with the help of the TrickBot Trojan.
A day later, the Emotet spam campaigns began, with emails reaching users’ mailboxes with various malicious decoys and documents that installed the malware.
These campaigns have allowed Emotet to grow its presence quickly and, once again, run large-scale phishing campaigns that install TrickBot and Qbot.
Emotet campaigns generally lead to ransomware attacks. Windows administrators should stay abreast of malware distribution methods and train employees to spot Emotet campaigns.