Cyber Security

Emotet Spreads Again with Fake App Installers

Published

on

Emotet, the notorious malware, has been discovered spreading via malicious Windows App Installer packages. These packages are impersonating the legitimate Adobe PDF software.

The Emotet campaign 

According to researchers, Emotet operators are now targeting Windows systems by installing malicious packages, using a built-in feature named App Installer in Windows 10/11.

  • The campaign uses stolen reply-chain emails that seem to be a reply to an existing conversation. These replies come with a PDF related to the email conversation and ask the recipient to see the attached file.
  • If a user clicks on the link, they are redirected to a fake Google Drive page that asks users to click on the ‘Preview PDF’ button, which points to an ms-appinstaller URL hosted on Azure.

Fake app installers

  • When clicked, the URL leads to an app installer package. When the user tries to open this file, the browser prompts to use the Windows App Installer program to proceed.
  • If the users agree, they will be shown an App Installer window asking them to install a malicious package named ‘Adobe PDF Component’.
  • The malicious package seems legitimate because it has a legitimate Adobe PDF icon, a valid certificate, along fake publisher details to fool the users into installing it.

Additional technical details

Once the install button is clicked, the installer downloads/installs an appx bundle hosted on Microsoft Azure.

  • The appx bundle then installs a DLL in the %Temp% folder and executes it with rundll32[.]exe.
  • Additionally, the process copies the DLL as a randomly named file and folder at %LocalAppData%.
  • Finally, an autorun is created under the registry to auto-launch the DLL when a user logs into Windows.

Conclusion

Emotet always comes with new attack tactics to stay in the news and this time, it is using fake app installers. These recent campaigns allow cybercriminals to perform large-scale phishing campaigns. Thus, it is advised to use reliable anti-phishing, network firewall, and anti-malware defenses to stay protected.

Source: https://cyware.com/news/emotet-spreads-again-with-fake-app-installers-78542833

Click to comment
Exit mobile version