FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangs
EwDoor botnet targets AT&T network edge devices at US firms
Android banking malware infects 300,000 Google Play users
Finland warns of Flubot malware heavily targeting Android users
Planned Parenthood LA discloses data breach after ransomware attack
Emotet now spreads via fake Adobe Windows App Installer packages
Former Ubiquiti dev charged for trying to extort his employer
Bulletproof hosting founder imprisoned for helping cybercrime gangs
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
The Emotet malware is now distributed through malicious Windows App Installer packages that pretend to be Adobe PDF software.
Emotet is a notorious malware infection that spreads through phishing emails and malicious attachments. Once installed, it will steal victims’ emails for other spam campaigns and deploy malware, such as TrickBot and Qbot, which commonly lead to ransomware attacks.
The threat actors behind Emotet are now infecting systems by installing malicious packages using a built-in feature of Windows 10 and Windows 11 called App Installer.
Researchers previously saw this same method being used to distribute the BazarLoader malware where it installed malicious packages hosted on Microsoft Azure.
Using URLs and email samples shared by the Emotet tracking group Cryptolaemus, BleepingComputer demonstrates below the attack flow of the new phishing email campaign.
This new Emotet campaign starts with stolen reply-chain emails that appear as a reply to an existing conversation.
These replies simply tell the recipient to “Please see attached” and contain a link to an alleged PDF related to the email conversation.
When the link is clicked, the user will be brought to a fake Google Drive page that prompts them to click a button to preview the PDF document.
This ‘Preview PDF’ button is an ms-appinstaller URL that attempts to open an appinstaller file hosted on Microsoft Azure using URLs at *.web.core.windows.net.
For example, the above link would open an appinstaller package at the following example URL: ms-appinstaller:?source=https://xxx.z13.web.core.windows.net/abcdefghi.appinstaller.
An appinstaller file is simply an XML file containing information about the signed publisher and the URL to the appbundle that will be installed.
When attempting to open an .appinstaller file, the Windows browser will prompt if you wish to open the Windows App Installer program to proceed.
Once you agree, you will be shown an App Installer window prompting you to install the ‘Adobe PDF Component.’
The malicious package looks like a legitimate Adobe application, as it has a legitimate Adobe PDF icon, a valid certificate that marks it as a ‘Trusted App’, and fake publisher information. This type of validation from Windows is more than enough for many users to trust the application and install it.
Once a user clicks on the ‘Install’ button, App Installer will download and install the malicious appxbundle hosted on Microsoft Azure. This appxbundle will install a DLL in the %Temp% folder and execute it with rundll32.exe, as shown below.
This process will also copy the DLL as a randomly named file and folder in %LocalAppData%, as shown below.
Finally, an autorun will be created under HKCUSoftwareMicrosoftWindowsCurrentVersionRun to automatically launch the DLL when a user logs into Windows.
Emotet was the most highly distributed malware in the past until a law enforcement operation shut down and seized the botnet’s infrastructure. Ten months later, Emotet was resurrected as it started to rebuild with the help of the TrickBot trojan.
A day later, Emotet spam campaigns began, with emails hitting users’ mailboxes with various lures and malicious documents that installed the malware.
These campaigns have allowed Emotet to build its presence rapidly, and once again, perform large-scale phishing campaigns that install TrickBot and Qbot.
Emotet campaigns commonly lead to ransomware attacks. Windows admins must stay on top of the malware distribution methods and train employees to spot Emotet campaigns.
New Windows zero-day with public exploit lets you become an admin
Microsoft: Windows Installer breaks apps after updates, repairs
Microsoft increases Windows 11 rollout pace to Windows 10 devices
How to fix the Windows 0x0000007c network printing error
The new Microsoft Store is now rolling out to Windows 10 PCs
Not a member yet? Register Now
Microsoft Defender scares admins with Emotet false positives
DNA testing firm discloses data breach affecting 2.1 million people
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Upgraded to log4j 2.16? Surprise, there's a 2.17 fixing DoS

TellYouThePass ransomware revived in Linux, Windows Log4j attacksCredit card info of 1.8…

North Korean cyberspies target govt officials with custom malware

US, UK warn of Iranian hackers exploiting Microsoft Exchange, FortinetRussian ransomware gangs…

Glitch service abused to host short-lived phishing sites

US, UK warn of Iranian hackers exploiting Microsoft Exchange, FortinetRussian ransomware gangs…

New Rowhammer technique bypasses existing DDR4 memory defenses

Windows 10 21H2 is released, here are the new featuresNew Rowhammer technique…