Emotet and App Installer
Industry: N/A | Level: Tactical | Sources: Twitter - @malware_traffic & BleepingComputer
Sophos reported on November 11th 2021, Emotet malware is following the same tactics utilized by Bazarloader for abusing the Windows App Installer packages, says twitter security researcher @malware_traffic. The attack chain starts with an email from a stolen reply chain with a URL link to an alleged PDF document. The link leads to a Google Drive styled page where a download will occur for a file hosted on Microsoft Azure URLs at .web.core.windows.net. Following the install of an alleged Adobe PDF component, a DLL file will be downloaded to the %Temp% folder and executed with rundll32, additionally an autorun entry gets created.
- Anvilogic Scenario: Malware & AppInstaller
- Anvilogic Use Cases:
- AppInstaller.exe Download
- New AutoRun Registry Key