The new channel is a malicious Windows App Installer that appears to be an innocuous Adobe PDF reader. Windows App Installer is a built-in feature of both Windows 10 and 11 and systems can be infected by "tricking" users to click attachments in emails which trigger the App Installer.

Emotet's preferred methodology revolves around a "conversation in progress" approach.  An email is crafted that already has several replies. So at a glance it appears that the recipient and whomever sent this email have already been conversing about something. The "most recent" reply says some variation of "please see attached" and contains a PDF file.

When the recipient clicks the file the built in App Installer is triggered and the malware is installed. Note that this completely bypasses most malware and AV software because the recipient is making a conscious decision to open the file in question.

The campaign is amazingly well put together.  The attachment and subsequent prompts appear to be legitimate Adobe Acrobat components right down to sporting an official company icon and a certificate marking it as a trusted application. So there's no reason for a user to think that there's anything amiss unless they look more closely at the email containing the attachment.

That's exactly what the hackers are counting on.  They know that people are busy and may only give the body of the email a cursory glance before clicking to see what all the fuss was about.

As ever vigilance and mindfulness are the keys to avoiding these types of shenanigans.

Used with permission from Article Aggregator