The nasty virus Emotet has been detected propagating using malicious Windows App Installer packages. These programmes pose as the official Adobe PDF software.
According to experts, Emotet operators are now targeting Windows PCs by installing malicious programmes using a built-in function in Windows 10/11 known as App Installer. The campaign employs stolen reply-chain emails that seem to be replies to ongoing conversations. These responses include a PDF relating to the email exchange and request that the recipient view the attached file. When a user hits the link, they are led to a bogus Google Drive page that prompts them to click the ‘Preview PDF’ button, which leads to a ms-appinstaller URL stored on Azure.
When the URL is clicked, it takes you to an app installer package. When the user attempts to access this file, the browser urges them to utilise the Windows App Installer application to continue.
If the users accept, they will be presented with an App Installer window in which they will be asked to install a malicious package called ‘Adobe PDF Component.’
The malicious programme appears legitimate since it includes a real Adobe PDF icon, a valid certificate, and bogus publisher information to trick people into installing it.
When you click the install button, the installer downloads and instals an appx package hosted on Microsoft Azure. The appx package then instals a DLL in the percent Temp% folder and runs it using rundll32[.]exe. Furthermore, the DLL is copied as a randomly named file and folder at percent LocalAppData%. Finally, a registry autorun is constructed to automatically launch the DLL when a user login into Windows.
To be in the headlines, Emotet continually comes up with new assault strategies, and this time it is deploying bogus app installers. These latest initiatives make it possible for fraudsters to conduct large-scale phishing attacks. To keep safe, it is recommended that you utilize reliable anti-phishing, network firewall, and anti-malware protections.