Emotet being spread via malicious Windows App Installer packages

Emotet being spread via malicious Windows App Installer packages

As reported by Cryptolaemus on Twitter, and demonstrated step by step by BleepingComputer, Emotet is now being distributed through malicious Windows App Installer packages that pretend to be Adobe PDF software.

How does the attack work?

To understand what Microsoft is supposed to do about this method, we need to look at how these attacks work. URLs are sent out to victims by using malspam. The emails are sent to appear as replies to existing conversations by using stolen reply-chain emails. In the email they ask the receiver to look at an attachment. Clicking the link brings the victim to a fake Google Drive page that prompts them to click a button to preview the PDF document.

If you use the “Preview PDF” button it triggers an ms-appinstaller URL that attempts to open a file with an  .appinstaller extension hosted on Microsoft Azure using URLs at *.web.core.windows.net. Appinstaller files mostly belong to App Installer by Microsoft. An .appinstaller file helps if you need multiple users to deploy your MSIX installation file. This is an XML file that you can create yourself or create, for example by using Visual Studio. The .appinstaller file specifies where your app is located and how to update it.

When attempting to open an .appinstaller file, the Windows browser will prompt if you wish to open the Windows App Installer program to proceed. In this case, once you agree, you will be shown an App Installer window prompting you to install the “Adobe PDF Component.” This malicious package looks like a legitimate Adobe application, as it has a legitimate Adobe PDF icon, a valid certificate which marks it as a ‘Trusted App’, and fake publisher information.

If a user chooses to proceed with the install—and why would they stop this far down the rabbit hole?—App Installer will download and install the malicious appxbundle hosted on Microsoft Azure. This bundle drops a .dll on the affected system and creates a startup entry for this .dll. This startup entry will automatically launch the DLL when a user logs into Windows. At that point you are infected with Emotet.

Hosting malicious files on Azure

Microsoft’s Azure cloud services have become an attractive option for cybercriminals to store malicious content. Not just for malicious files as in the case of Emotet, but also for phishing sites, other fraudulent sites, and command and control servers. Azure is certainly not alone, other content hosting sites like Google Drive, Dropbox, and Amazon’s web services are also abused to store malicious content. But critics are hard on Microsoft since it consider itself a security vendor. By the time of writing, the .appinstaller file was removed, but it was available for download longer than it should have been.

appinstaller removed

While we understand how difficult it is to inspect everything that gets uploaded into your cloud service, and that you can’t study every new customer under a microscope, we also do not know how much time passed between the first report of this new Emotet distribution method and the actual takedown.

Microsoft is receiving flack because it is its cloud service hosting malware, its app installer is used in the process, and its Operating System (Windows) is the target of the attacks. Does that make it an enabler? Not really and certainly not voluntarily.


While we all thought and hoped that Emotet had kicked the bucket, it made a dramatic comeback a few weeks ago. And using new distribution methods is a clear sign that it is serious about the comeback.

So, don’t click those links, even if the URL looks trustworthy, the file icon looks legit, and the file is signed. Check with the alleged sender about whether the message really comes from them and is intended for you.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.