Malicious Windows App Installer bundles posing as Adobe PDF applications are now being used to spread the Emotet malware. The malware infection Emotet is well-known for spreading through phishing emails and harmful attachments. It will capture victims’ emails for future spam operations and install malware like TrickBot and Qbot, which usually leads to ransomware operations, after it is installed.
Emotet’s threat actors are now infecting PCs by installing malicious packages via App Installer, a built-in feature of Windows 10 and Windows 11. The Emotet tracking group Cryptolaemus shared email samples and URLs.
This new Emotet campaign begins with a stolen reply-chain email that seems like a reply to a previous discussion. These responses merely say, “Please see attached,” and include a link to a purported PDF connected to the email chat. When users click the link, they’ll be sent to a phony Google Drive website, where they’ll be asked to click a button to preview the PDF file. The ‘Preview PDF’ button is an ms-appinstaller URL that tries to open an appinstaller file hosted on Microsoft Azure with *.web.core.windows.net URLs.
An appinstaller file is a simple XML file containing information about the signed publisher and the URL for the appbundle to be installed. The Windows browser will ask if you want to use the Windows App Installer application to proceed when you try to access a .appinstaller file. After you accept, an App Installer window will appear, asking you to install the ‘Adobe PDF Component.’
The infected package seems to be a legitimate Adobe application because it contains a real Adobe PDF symbol, a valid certificate that labels it as a ‘Trusted App,’ and bogus publisher information. Many consumers will trust and install the program based on this form of validation from Windows.
App Installer will download and install the malicious appxbundle hosted on Microsoft Azure once a user hits the ‘Install’ button. As seen below, this appxbundle will install a DLL in the percent Temp% folder and launch it using rundll32.exe. In addition, the DLL will be copied as a randomly named file and folder in the %LocalAppData% folder. Finally, in HKCU\Software\Microsoft\Windows\CurrentVersion\Run an autorun will be generated. When a user logs into Windows, Run will immediately run the DLL.
Until a law enforcement operation shut down and seized the botnet’s infrastructure, Emotet was the most widely disseminated malware. Emotet was reborn ten months later when it began to rebuild with the aid of the TrickBot malware.
Emotet spam operations began a day later, with emails including numerous lures and malicious documents that installed the virus in recipients’ mailboxes. These tactics have allowed Emotet to quickly establish its footprint and conduct large-scale phishing campaigns that install TrickBot and Qbot once again. Ransomware attacks are frequently launched as a result of Emotet campaigns. Windows administrators must be aware of malware dissemination tactics and teach personnel to recognize Emotet campaigns.
