December 01, 2021

Emotet and App Installer

Industry: N/A | Level: Tactical | Sources: Twitter – @malware_traffic & BleepingComputer

Sophos reported on November 11th 2021, Emotet malware is following the same tactics utilized by Bazarloader for abusing the Windows App Installer packages, says twitter security researcher @malware_traffic. The attack chain starts with an email from a stolen reply chain with a URL link to an alleged PDF document. The link leads to a Google Drive styled page where a download will occur for a file hosted on Microsoft Azure URLs at .web.core.windows.net. Following the install of an alleged Adobe PDF component, a DLL file will be downloaded to the %Temp% folder and executed with rundll32, additionally an autorun entry gets created.

  • Anvilogic Scenario: Malware & AppInstaller
  • Anvilogic Use Cases:
    • AppInstaller.exe Download
    • New AutoRun Registry Key