[MART] - Daily Diary #404 - Emotet Spreading via Windows 'Call Me Back' Attack

CTAS-MAT ctas-mat at appgate.com
Fri Dec 3 18:31:05 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

12/03/2021 - Diary entry #404

In our Daily Diary #390 we covered emotet's return, with a new campaign using Trickbot to deploy the malware payload.

Now a new campaign has been found using the Windows 10 App Installer to deploy the payload, in the 'call me back' attack covered in our Daily Diary #388. In this attack users are targeted with spam messages containing a link to a phishing URL. The malicious page mimics a PDF loading error, asking the user to install Adobe Reader to access it. The Windows 10 App Installer then opens a pop-up, asking for the installation of the payload disguised as AdobePDF component. Using this technique is very effective. As the Windows 10 App Installer itself is trusted, users unaware of the scam will easily allow the malware installation.

It's still not clear if this new Emotet's version is developed by the same threat actors, but the change in the M.O. suggests that a new group is using Emotet to grow its own operation (possibly along with older members of the original Emotet's operation).

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211203/489f4a5e/attachment.htm>

More information about the MART mailing list