HomesecurityEmotet is spread through fake Adobe Windows App Installer packages

Emotet is spread through fake Adobe Windows App Installer packages

Emotet malware is now distributed through malicious Windows App Installer packages disguised as Adobe PDF software.


See also: What new Emotet campaigns are appearing in mailboxes worldwide?

Emotet is malware that spreads via email phishing and malicious attachments. Once installed, it will steal emails from other junk mail campaigns and develop malware, such as TrickBot and Qbot, which usually lead to ransomware attacks.

The malicious agents behind Emotet are now infecting systems by installing malicious packages using a built-in feature. Windows 10 and Windows 11 called the App Installer.

Researchers have previously used this method to distribute malware on BazarLoader, where it has installed malicious packages hosted on Microsoft Azure.

Using URLs and email samples reported by the Emotet monitoring team Cryptolaemus, the attack flow of the new e-fishing campaign was presented.

This new Emotet campaign starts with stolen emails that appear in response to an existing chat.

These answers simply say "Please see the attachment" to the recipient and contain a link to a supposed PDF related to the email chat.

When the link is clicked, the user will be taken to a fake Google Drive page asking them to click a button to preview the PDF document.

See also: Google Drive update: New features in the Android version


This PDF Preview button is a URL of ms-appinstaller that attempts to open an application installation file hosted on Microsoft Azure using URLs at *

An installation application file is simply an XML file that contains information about the signed publisher and the URL in the appbundle to be installed.

When you try to open a file .appinstaller, the Windows browser will prompt you to proceed if you want to open the Windows App Installer.

Once you have agreed, an App Installer window will appear asking you to install the Adobe PDF Component.

The malicious package looks like a legitimate Adobe application, as it has a legitimate Adobe PDF icon, a valid certificate that identifies it as a "Trusted application" and fake publisher information. This type of validation from Windows is more than enough for many users to trust the application and install it.

See also: Emotet botnet is back with the help of Trickbot

Once a user clicks the “buttonInstallationApp Installer will download and install the malicious appxbundle hosted on Microsoft Azure. This appxbundle will install a DLL in the folder % Temp% and will execute it with rundll32.exe.

This procedure will also copy the DLL as a randomly named file and folder to % LocalAppData%.

Finally, an auto-run will be created in HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run to start the DLL automatically when a user logs in to Windows.

Emotet was the most widely distributed malware in the past until a law enforcement company closed down and took over the botnet infrastructure. Ten months later, Emotet was resurrected as it began to be rebuilt with the help of the TrickBot trojan.

Absent Mia
Being your self, in a world that constantly tries to change you, is your greatest achievement