Emotet is now being distributed through malicious Windows App Installer packages that pretend to be Adobe PDF software.
The URLs are been sent out to victims by using malspam campaign. The emails are sent to appear as replies to existing conversations by using stolen reply-chain emails asking the receiver to look at an attachment. Clicking the link brings the victim to a fake Google Drive page that prompts them to click a button to preview the PDF document.
If you use the “Preview PDF” button it triggers an ms-appinstaller URL that attempts to open a file with an .appinstaller extension hosted on Azure using URLs *.web.core.windows.net. Appinstaller files mostly belong to App Installer by Microsoft.
Attempting to open an .appinstaller file, the Windows browser will prompt to open the Windows App Installer program to proceed. An App Installer window prompting you to install the “Adobe PDF Component.” This malicious package looks like a legitimate Adobe application, as it has a legitimate Adobe PDF icon, a valid certificate which marks it as a ‘Trusted App’, and fake publisher information.
App Installer will download and install the malicious appxbundle hosted on Microsoft Azure. This bundle drops a .dll on the affected system and creates a startup entry for this .dll. This startup entry will automatically launch the DLL when a user logs into Windows. At that point you are infected with Emotet.
Microsoft’s Azure cloud services have become an attractive option for cybercriminals to store malicious content. Not just for malicious files as in the case of Emotet, but also for phishing sites, other fraudulent sites, and C2 servers. Azure is certainly not alone, other content hosting sites like Google Drive, Dropbox, and Amazon’s web services are also abused to store malicious content. But critics are hard on Microsoft since it consider itself a security vendor. By the time of writing, the .appinstaller file was removed, but it was available for download longer than it should have been.