fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Emotet Now Spreads via Fake Adobe Windows App Installer Packages

Emotet Now Spreads via Fake Adobe Windows App Installer Packages

The Emotet malware is now distributed through malicious Windows App Installer packages that pretend to be Adobe PDF software.

Emotet is a notorious malware infection that spreads through phishing emails and malicious attachments. Once installed, it will steal victims’ emails for other spam campaigns and deploy malware, such as TrickBot and Qbot, which commonly lead to ransomware attacks.

The threat actors behind Emotet are now infecting systems by installing malicious packages using a built-in feature of Windows 10 and Windows 11 called App Installer.

Researchers previously saw this same method being used to distribute the BazarLoader malware where it installed malicious packages hosted on Microsoft Azure.

Also Read: CCTV Law Singapore Edition: Know Your Rights and Responsibilities

Abusing Windows App Installer

Using URLs and email samples shared by the Emotet tracking group Cryptolaemus, BleepingComputer demonstrates below the attack flow of the new phishing email campaign.

This new Emotet campaign starts with stolen reply-chain emails that appear as a reply to an existing conversation.

These replies simply tell the recipient to “Please see attached” and contain a link to an alleged PDF related to the email conversation.

Emotet phishing email
Emotet phishing email
Source: @malware_traffic

When the link is clicked, the user will be brought to a fake Google Drive page that prompts them to click a button to preview the PDF document.

Also Read: How to Send Mass Email Without Showing Addresses: 2 Great Workarounds

Phishing landing page prompting you to preview the PDF
Phishing landing page prompting you to preview the PDF
Source: BleepingComputer

This ‘Preview PDF’ button is an ms-appinstaller URL that attempts to open an appinstaller file hosted on Microsoft Azure using URLs at *.web.core.windows.net.

For example, the above link would open an appinstaller package at the following example URL: ms-appinstaller:?source=https://xxx.z13.web.core.windows.net/abcdefghi.appinstaller.

An appinstaller file is simply an XML file containing information about the signed publisher and the URL to the appbundle that will be installed.

An Emotet appinstaller XML file
An Emotet appinstaller XML file
Source: BleepingComputer

When attempting to open an .appinstaller file, the Windows browser will prompt if you wish to open the Windows App Installer program to proceed.

Once you agree, you will be shown an App Installer window prompting you to install the ‘Adobe PDF Component.’

App Installer prompting to install the Fake Adobe PDF Component
App Installer prompting to install the Fake Adobe PDF Component
Source: BleepingComputer

The malicious package looks like a legitimate Adobe application, as it has a legitimate Adobe PDF icon, a valid certificate that marks it as a ‘Trusted App’, and fake publisher information. This type of validation from Windows is more than enough for many users to trust the application and install it.

Once a user clicks on the ‘Install’ button, App Installer will download and install the malicious appxbundle hosted on Microsoft Azure. This appxbundle will install a DLL in the %Temp% folder and execute it with rundll32.exe, as shown below.

Installing the Emotet infection
Installing the Emotet infection
Source: BleepingComputer

This process will also copy the DLL as a randomly named file and folder in %LocalAppData%, as shown below.

Emotet saved under a random file name
Source: BleepingComputer

Finally, an autorun will be created under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to automatically launch the DLL when a user logs into Windows.

Registry autorun to start Emotet when Windows starts
Registry autorun to start Emotet when Windows starts
Source: BleepingComputer

Emotet was the most highly distributed malware in the past until a law enforcement operation shut down and seized the botnet’s infrastructure. Ten months later, Emotet was resurrected as it started to rebuild with the help of the TrickBot trojan.

A day later, Emotet spam campaigns began, with emails hitting users’ mailboxes with various lures and malicious documents that installed the malware.

These campaigns have allowed Emotet to build its presence rapidly, and once again, perform large-scale phishing campaigns that install TrickBot and Qbot.

Emotet campaigns commonly lead to ransomware attacks. Windows admins must stay on top of the malware distribution methods and train employees to spot Emotet campaigns.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us