How Emotet Spreads Through Fake Adobe Windows Application Installer Packages?

The Emotet Trojan is now appropriated through malicious Windows App Installer packages that try to be Adobe PDF software. Emotet is a prominent malware infection that spreads through various phishing emails for other spam operations and set up the malware, such as TrickBot and Qbot, which is usually lead to ransomware attacks.

The attackers behind the Emotet are now impacting systems by installing malicious packages utilizing a built-in feature of Windows 10 and Windows 11 called App Installer. Investigators’ priory saw this same method is utilized to distribute the BazarLoader malware where it is installed malicious packages hosted on Microsoft Azure.

Affecting Windows App Installer

By utilizing the URLs and email samples transmitted by the Emotet tracking group Cryptolaemus, our experts determine below the attack flow of the advanced phishing email operations. This advance Emotet operation initiates with stolen reply-chain emails that come as a reply to the ongoing conversation.       

These replies simply tell the receiver to “Please see attached” and contain a link to a so-called PDF related to the email conversation.

How-Emotet-Spreads-Through-Fake-Adobe-Windows-Application-Installer-Packages-image1

When you initially click on the link, the user will be brought to a fake Google Drive page that prompts them to click a button to preview the PDF document.

How-Emotet-Spreads-Through-Fake-Adobe-Windows-Application-Installer-Packages-image2

This ‘Preview PDF’ button is an ms-app installer URL that attempts to open an app installer file hosted on Microsoft Azure using URLs at *.web.core.windows.net. For example, the above link would open an app installer package at the following example URL: ms-appinstaller:?source=https://xxx.z13.web.core.windows.net/abcdefghi.appinstaller.

An app installer file is simply an XML file containing information about the signed publisher and the URL to the appbundle that will be installed.

How to Launch the App installer?

How-Emotet-Spreads-Through-Fake-Adobe-Windows-Application-Installer-Packages-image3

When attempting to open a .appinstaller file, the Windows browser will prompt if you wish to open the Windows App Installer program to proceed. Once you agree, you will be shown an App Installer window prompting you to install the ‘Adobe PDF Component.’

How-Emotet-Spreads-Through-Fake-Adobe-Windows-Application-Installer-Packages-image4

The malicious package looks like a legitimate Adobe application, as it has a legitimate Adobe PDF icon, a valid certificate that marks it as a ‘Trusted App’, and fake publisher information. This type of validation from Windows is more than enough for many users to trust the application and install it.

Once a user clicks on the ‘Install’ button, App Installer will download and install the malicious appxbundle hosted on Microsoft Azure. This appxbundle will install a DLL in the %Temp% folder and execute it with rundll32.exe, as shown below:

How-Emotet-Spreads-Through-Fake-Adobe-Windows-Application-Installer-Packages-image5

This process will also copy the DLL as a randomly named file and folder in %LocalAppData%, as shown below:

How-Emotet-Spreads-Through-Fake-Adobe-Windows-Application-Installer-Packages-image6

Finally, an autorun will be created under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to automatically launch the DLL when a user logs into Windows.

How-Emotet-Spreads-Through-Fake-Adobe-Windows-Application-Installer-Packages-image7

Emotet was the most highly distributed malware in the past until a law enforcement operation shut down and seized the botnet’s infrastructure. Ten months later, Emotet was resurrected as it started to rebuild with the help of the TrickBot trojan.

A day later, Emotet spam campaigns began, with emails hitting users’ mailboxes with various lures and malicious documents that installed the malware. These campaigns have allowed Emotet to build its presence rapidly, and once again, perform large-scale phishing campaigns that install TrickBot and Qbot.

Emotet campaigns commonly lead to ransomware attacks. Windows admins must stay on top of the malware distribution methods and train employees to spot Emotet campaigns.

Leave a Reply