Emotet is one of the most feared malware strains circulating right now. The team behind it has managed to infect a staggering array of targets all around the globe. To say that it is a major threat would be an understatement. Recently the group behind Emotet just upped the ante even further. Researchers have recently discovered that the malware is now being distributed via a new channel.

The new channel is a malicious Windows App Installer that appears to be an innocuous Adobe PDF reader. Windows App Installer is a built-in feature of both Windows 10 and 11 and systems can be infected by “tricking” users to click attachments in emails which trigger the App Installer.

Emotet’s preferred methodology revolves around a “conversation in progress” approach.  An email is crafted that already has several replies. So at a glance it appears that the recipient and whomever sent this email have already been conversing about something. The “most recent” reply says some variation of “please see attached” and contains a PDF file.

When the recipient clicks the file the built in App Installer is triggered and the malware is installed. Note that this completely bypasses most malware and AV software because the recipient is making a conscious decision to open the file in question.

The campaign is amazingly well put together.  The attachment and subsequent prompts appear to be legitimate Adobe Acrobat components right down to sporting an official company icon and a certificate marking it as a trusted application. So there’s no reason for a user to think that there’s anything amiss unless they look more closely at the email containing the attachment.

That’s exactly what the hackers are counting on.  They know that people are busy and may only give the body of the email a cursory glance before clicking to see what all the fuss was about.

As ever vigilance and mindfulness are the keys to avoiding these types of shenanigans.