Emotet trojan returned after the takedown: detected in Japan

Emotet found newly spreading via fake Adobe Windows App Installer packages

Emotet up and runningEmotet trojan affecting computers again

Considered the most dangerous malware in the world – Emote trojan returned with its campaigns and was found recently infecting computers in Japan.[1] Even though it was taken down by international law enforcement operations before.[2] The threat seems to be unbeatable. Emotert infiltrated email boxes of various organizations in Japan using phishing methods. At least nine types of malware-laced files used to attached to the emails were detected. Malware also now is distributed through malicious Windows App Installer packages that are masked as Adobe PDF software.

Emotet trojan[3] is an infection that spreads using phishing email campaigns with malicious attachments. Once the file gets dropped on the machine, malware can steal emails, credentials, run malware tile TrickBot or Qbot delivered previously. These activities can lead to ransomware deployment or additional spam email campaigns.

Right now, the reports on Emotet state that infections happen by installing malicious packages using the built-in feature of Windows 10 and even Windows 11. The feature is called App Installer, and this method was already observed in other trojan and malware campaigns.[4]

Emotet operates abusing the Windows App Installer

The samples of the trojan allowed researchers to analyze the attacks and how the attack flows, starting not with the phishing campaign. Stolen emails from reply-chain attacks[5] allow the malware to spread around. Replies tell the receiver to interact with the email attachment that has a link to the PDF file, supposedly related to the email conversation.

The link is coded and shortened, so you do not see indications or suspicious content that could make you more cautious. Once the attached link is clicked, the sure gets to a Google Drive page that reveals a button for the PDF preview. The fake document should be displayed after that. However, the landing page prompting users to view the PDF is the ms-appinstaller URL that triggers the app installer file from Microsoft Azure.

Attempts to open the .appinstaller file take you to open the Windows App Installer, and once you agree to do so, the window pop-ups, and you will agree to install Adobe PDF Component. The package looks like it is legitimate, and even the legitimate Adobe icon seems real.

The software package delivers the valid certificate marker too, and is considered the Trysted App. This validation can be enough for users and help criminals fake the publisher's information. Once the Install buttons are clicked, the installation of the malicious bundle starts. Various DLL files and executables get dropped on the machine.

The drop of the most dangerous trojan can only be the start

Emotet trojan is one of the most dangerous and highly distributed malware pieces. The rebuild after the shutdown started a few months back, and TrickBot trojans, other malware helped to start new spam campaigns of the trojan again.[6] mailboxes can receive various emails with malicious documents containing the malicious scripts. User interaction with the attachment is the only thing needed for the infection to start.

It is common for these Emotet attacks to result in ransomware deployment. This is a major issue for organizations, government institutions, other entities. Administrators of such networks need to say on top of the defenses, so these malware distribution methods can be stopped. Regular employees and everyday users should have the knowledge on these campaigns to avoid Emotet infiltration.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

Jake Doevan is one of News Editors for 2-spyware.com. He graduated from the Washington and Jefferson College , Communication and Journalism studies.

Contact Jake Doevan
About the company Esolutions