Skip to content
Viruses and parasites 3 min read

Emotet trojan returned after the takedown: detected in Japan

Jake Doevan Computer technology expert Published

Emotet found newly spreading via fake Adobe Windows App Installer packages

Emotet up and running

Considered the most dangerous malware in the world – Emote trojan returned with its campaigns and was found recently infecting computers in Japan.[1] Even though it was taken down by international law enforcement operations before.[2] The threat seems to be unbeatable. Emotert infiltrated email boxes of various organizations in Japan using phishing methods. At least nine types of malware-laced files used to attached to the emails were detected. Malware also now is distributed through malicious Windows App Installer packages that are masked as Adobe PDF software. 

Emotet trojan[3] is an infection that spreads using phishing email campaigns with malicious attachments. Once the file gets dropped on the machine, malware can steal emails, credentials, run malware tile TrickBot or Qbot delivered previously. These activities can lead to ransomware deployment or additional spam email campaigns. 

Right now, the reports on Emotet state that infections happen by installing malicious packages using the built-in feature of Windows 10 and even Windows 11. The feature is called App Installer, and this method was already observed in other trojan and malware campaigns.[4]

Emotet operates abusing the Windows App Installer

The samples of the trojan allowed researchers to analyze the attacks and how the attack flows, starting not with the phishing campaign. Stolen emails from reply-chain attacks[5] allow the malware to spread around. Replies tell the receiver to interact with the email attachment that has a link to the PDF file, supposedly related to the email conversation.

The link is coded and shortened, so you do not see indications or suspicious content that could make you more cautious. Once the attached link is clicked, the sure gets to a Google Drive page that reveals a button for the PDF preview. The fake document should be displayed after that. However, the landing page prompting users to view the PDF is the ms-appinstaller URL that triggers the app installer file from Microsoft Azure.

Attempts to open the .appinstaller file take you to open the Windows App Installer, and once you agree to do so, the window pop-ups, and you will agree to install Adobe PDF Component. The package looks like it is legitimate, and even the legitimate Adobe icon seems real. 

The software package delivers the valid certificate marker too, and is considered the Trysted App. This validation can be enough for users and help criminals fake the publisher's information. Once the Install buttons are clicked, the installation of the malicious bundle starts. Various DLL files and executables get dropped on the machine.

The drop of the most dangerous trojan can only be the start

Emotet trojan is one of the most dangerous and highly distributed malware pieces. The rebuild after the shutdown started a few months back, and TrickBot trojans, other malware helped to start new spam campaigns of the trojan again.[6] mailboxes can receive various emails with malicious documents containing the malicious scripts. User interaction with the attachment is the only thing needed for the infection to start.

It is common for these Emotet attacks to result in ransomware deployment. This is a major issue for organizations, government institutions, other entities. Administrators of such networks need to say on top of the defenses, so these malware distribution methods can be stopped. Regular employees and everyday users should have the knowledge on these campaigns to avoid Emotet infiltration.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.