The notorious Emotet malware has been found propagating via malicious Windows App Installer packages. These packages are posing as legit Adobe PDF software.
Emotet operators are now targeting Windows based computers, according to researchers, by installing malicious packages using a built-in feature known as App Installer in Windows 10/11.
The campaign takes advantage of stolen reply-chain emails that appear to be responses to existing conversations. These replies include a PDF attachment linked to the email conversation and request that the recipient view the attached file.
When a user clicks on the link, they are redirected to a fake Google Drive page that instructs them to click on the ‘Preview PDF’ button, which leads to an ms-appinstaller URL hosted on Azure.
Additional Info
When the user clicks, the URL leads to an app installer package. When the user attempts to open this file, the browser instructs them to use the Windows App Installer program to proceed.
If the users agree, an App Installer window will appear, urging them to install a malicious package named ‘Adobe PDF Component’.
Since the malicious package appears legitimate because of the legit Adobe PDF icon, a valid certificate, and bogus publisher details, the users are duped into installing it.
When the user clicks on the install button, the installer downloads and installs an appx bundle hosted on Microsoft Azure.
After that, the appx bundle installs a DLL in the percent %Temp% folder and executes it using rundll32[.]exe.
Additionally, the process copies the DLL to %LocalAppData% as a randomly named file and folder.
Finally, when a user logs into Windows, an autorun is created in the registry to automatically launch the DLL.
Concluding Words
To be in the news, Emotet continually comes up with new assault tactics, and this time it’s using fake app installers. The latest campaigns allow cybercriminals to conduct large-scale phishing attacks. To stay secure, it’s best to use reliable anti-phishing, network firewall, and anti-malware defences.