Emotet Spreads Again with Fake App Installers

The Emotet campaign 

• The campaign uses stolen reply-chain emails that seem to be a reply to an existing conversation. These replies come with a PDF related to the email conversation and ask the recipient to see the attached file.
• If a user clicks on the link, they are redirected to a fake Google Drive page that asks users to click on the 'Preview PDF' button, which points to an ms-appinstaller URL hosted on Azure.

Fake app installers

• When clicked, the URL leads to an app installer package. When the user tries to open this file, the browser prompts to use the Windows App Installer program to proceed.
• If the users agree, they will be shown an App Installer window asking them to install a malicious package named 'Adobe PDF Component'.
• The malicious package seems legitimate because it has a legitimate Adobe PDF icon, a valid certificate, along fake publisher details to fool the users into installing it.

Additional technical details

• The appx bundle then installs a DLL in the %Temp% folder and executes it with rundll32[.]exe.
• Additionally, the process copies the DLL as a randomly named file and folder at %LocalAppData%.
• Finally, an autorun is created under the registry to auto-launch the DLL when a user logs into Windows.

Conclusion