As reported byCryptolaemuson Twitter, and demonstrated step by step byBleepingComputer,现在通过恶意的Windows App Installer软件包分发了Emotet,这些软件包假装是Adobe PDF软件。

How does the attack work?

To understand what Microsoft is supposed to do about this method, we need to look at how these attacks work. URLs are sent out to victims by usingmalspam。通过使用被盗的回复链电子邮件,将电子邮件发送作为对现有对话的答复。在电子邮件中,他们要求接收者查看附件。单击链接将受害者带入一个假的Google驱动器页面,该页面提示他们单击按钮预览PDF文档。

如果使用“预览PDF”按钮,它会触发MS-Appinstaller URL,该URL试图使用在Microsoft Azure上使用URL在 *.web.core.windows.net上托管的.appInstaller扩展程序打开文件。appinstaller文件主要属于Microsoft的应用程序安装程序。An .appinstaller file helps if you need multiple users to deploy your MSIX installation file. This is an XML file that you can create yourself or create, for example by using Visual Studio. The .appinstaller file specifies where your app is located and how to update it.

尝试打开.appInstaller文件时,如果您希望打开Windows App Installer程序继续进行,Windows浏览器将提示。在这种情况下,一旦您同意,您将显示一个应用程序安装程序窗口,提示您安装“ Adob​​e PDF组件”。这个恶意软件包看起来像是合法的Adobe应用程序,因为它具有合法的Adobe PDF图标,有效的证书将其标记为“可信的应用程序”和虚假的发布者信息。

如果用户选择继续安装 - 为什么他们会阻止这么远的兔子洞?应用程序安装程序将下载并安装Microsoft Azure上托管的恶意appxbundle。该捆绑包在受影响的系统上删除.dll,并为此创建一个.dll的启动条目。当用户登录Windows时,此启动条目将自动启动DLL。那时你被感染了情绪

Hosting malicious files on Azure

Microsoft’s Azure cloud services have become an attractive option for cybercriminals to store malicious content. Not just for malicious files as in the case of Emotet, but also for phishing sites, other fraudulent sites, and命令和控制服务器。Azure is certainly not alone, other content hosting sites like Google Drive, Dropbox, and Amazon’s web services are also abused to store malicious content. But critics are hard on Microsoft since it consider itself a security vendor. By the time of writing, the .appinstaller file was removed, but it was available for download longer than it should have been.

appinstaller removed
The URL for the .appinstaller returns a 404 error

While we understand how difficult it is to inspect everything that gets uploaded into your cloud service, and that you can’t study every new customer under a microscope, we also do not know how much time passed between the first report of this new Emotet distribution method and the actual takedown.

Microsoft正在接收Flack,因为它是其云服务托管恶意软件,其应用程序安装程序在此过程中使用,并且其操作系统(Windows)是攻击的目标。这会成为推动者吗?不是真正的,肯定不是自愿的。

情绪

While we all thought and hoped that Emotet had kicked the bucket, it made a dramatic comeback a few weeks ago. And using new distribution methods is a clear sign that it is serious about the comeback.

因此,即使URL看起来值得信赖,文件图标看起来合法,并且文件已签名,也不要单击这些链接。与所谓的发件人联系,了解该消息是否真正来自它们,并旨在为您提供。

Stay safe, everyone!