Adobe Acrobat Sign used to distribute malware
Cybercriminals have found a new way to distribute info-stealing malware to unsuspecting users by abusing Adobe Acrobat Sign, a popular online document signing service. Avast researchers discovered that threat actors register with the service and use it to send malicious emails to predefined email addresses.
The emails are designed to appear to be from the software company, allowing them to circumvent security measures and fool recipients into trusting them. The links in the emails redirect victims to a document hosted on Adobe’s servers, which then redirects them to a website that asks them to solve a CAPTCHA to add legitimacy. Visitors are then served a ZIP archive containing the Redline information stealer malware, which is capable of stealing account credentials, cryptocurrency wallets, credit cards, and other data from the compromised device.
Avast researchers also discovered highly targeted attacks that employ this method. In one such instance, a popular YouTube channel owner with a large number of subscribers was targeted. The victim was taken to a document claiming music copyright infringement after clicking on the link in the specially-crafted message sent via Adobe Acrobat Sign, a common and believable theme for YouTube channel owners.
The document was hosted this time on dochub.com, another legitimate online document signing platform. The link in the document takes you to the same CAPTCHA-protected website where you can download a copy of Redline. In this case, the ZIP file also contained several non-malicious executables from the GTA V game, indicating that the payload was mixed in with non-malicious files in an attempt to fool AV tools.
According to Avast, the Redline payload was artificially inflated to 400MB in both cases, which aids in anti-virus scanning. This method has also been used in recent Emotet malware phishing campaigns. Cybercriminals are constantly on the lookout for legitimate services that can be exploited to promote their malicious emails, as these services help increase inbox delivery and phishing success rates.
Avast has disclosed all of its findings to Adobe and dochub.com.
The sources for this piece include an article in BleepingComputer.