Emotet now spreads via fake Adobe Windows App Installer packages



Emotet malware is now distributed through malicious Windows App Installer packages which claim to be Adobe PDF software.

Emotet is a notorious malware infection that is spread through phishing emails and malicious attachments. Once installed, it will steal victims’ emails for further spam campaigns and deploy malware like TrickBot and Qbot which usually lead to ransomware attacks.

The threat actors behind Emotet are now infecting systems by installing malicious packages using a built-in feature of Windows 10 and Windows 11 called the App Installer.

Researchers have already seen this same method be used to distribute the BazarLoader malware where it installs malicious packages hosted on Microsoft Azure.

Abuse of Windows Application Installer

Using URLs and sample emails shared by Emotet tracking group Cryptolaemus, BleepingComputer shows the attack flow of the new phishing email campaign below.

This new Emotet campaign begins with stolen response chain emails that appear as a response to an existing conversation.

These responses simply tell the recipient to “Please see attachment” and contain a link to an alleged PDF related to the email conversation.

When the link is clicked, the user will be taken to a fake Google Drive page that prompts them to click a button to preview the PDF document.

Phishing landing page prompting you to preview PDF
Phishing landing page prompting you to preview PDF
Source: BleepingComputer

This “PDF Preview” button is an ms-appinstaller URL that attempts to open an application installer file hosted on Microsoft Azure using URLs on * .web.core.windows.net.

For example, the above link would open an app installer package at the following example URL: ms-appinstaller:? Source = https: //xxx.z13.web.core.windows.net/abcdefghi .appstall.

An app install file is simply an XML file containing information about the signed publisher and the URL of the app that will be installed.

An Emotet application installation XML file
An Emotet application installation XML file
Source: BleepingComputer

When you try to open an .appinstaller file, the Windows browser will ask you if you want to open the Windows App Installer program to continue.

Once you agree, an application installer window will appear prompting you to install the “Adobe PDF component”.

App Installer prompting to install fake Adobe PDF component
App Installer prompting to install fake Adobe PDF component
Source: BleepingComputer

The malicious package looks like a legitimate Adobe application because it has a legitimate Adobe PDF icon, a valid certificate that marks it as a “trusted application” and false information about the publisher. This kind of Windows validation is more than enough for many users to trust and install the app.

Once a user clicks the “Install” button, App Installer downloads and installs the malicious appxbundle hosted on Microsoft Azure. This appxbundle will install a DLL in the% Temp% folder and run it with rundll32.exe as shown below.

Installation of Emotet infection
Installation of Emotet infection
Source: BleepingComputer

This process will also copy the DLL as a randomly named file and folder to% LocalAppData% as shown below.

Emotet saved with a random file name
Source: BleepingComputer

Finally, an autorun will be created under HKCU Software Microsoft Windows CurrentVersion Run to automatically launch the DLL when a user logs into Windows.

Automatic registry to start Emotet when Windows starts
Automatic registry to start Emotet when Windows starts
Source: BleepingComputer

Emotet was the most widely distributed malware in the past until a law enforcement operation shut down and took over the botnet’s infrastructure. Ten months later, Emotet was resurrected as he began to rebuild himself with the help of the TrickBot Trojan.

A day later, the Emotet spam campaigns began, with emails reaching users’ mailboxes with various malicious decoys and documents that installed the malware.

These campaigns have allowed Emotet to grow its presence quickly and, once again, run large-scale phishing campaigns that install TrickBot and Qbot.

Emotet campaigns generally lead to ransomware attacks. Windows administrators should stay abreast of malware distribution methods and train employees to spot Emotet campaigns.



Previous WhatsApp Windows app gets new features with first beta update: Details
Next How to download Minecraft Bedrock beta 1.18.10.21