Cybercriminals are abusing Adobe Acrobat Sign, an online document signing service, to distribute malware that steals information from unsuspecting users.
The service is being abused to send malicious emails originating from the software company to bypass security protections and trick recipients into trusting the email received.
The strategy of abusing legitimate services is not new. Similar cases seen recently include PayPal invoice abuse, Google Docs comments, and more.
This new trend in cybercrime was reported by Avast researchers, who warn about its effectiveness in bypassing security layers and deceiving targets.
Abusing legitimate services
Adobe Acrobat Sign is a free cloud-based electronic signature service that allows users to send, sign, track, and manage electronic signatures.
Attackers register with the service and abuse it to send messages to destination email addresses, which link to a document (DOC, PDF, or HTML) hosted on Adobe servers (“eu1.documents.adobe.com /public/”).
The documents contain a link to a website that asks visitors to solve a CAPTCHA to add legitimacy, and then gives them a ZIP file that includes a copy of the Redline info-stealer.
Redline is dangerous malware capable of stealing account credentials, cryptocurrency wallets, credit cards, and other information stored on the compromised device.
Avast has also detected highly targeted attacks using this method, such as in a case where the target owned a popular YouTube channel with many subscribers.
By clicking the link in the specifically crafted message sent via Adobe Acrobat Sign, the victim accessed a document alleging music copyright infringement, a common and credible issue for YouTube channel owners. .
This time, the document was hosted on dochub.com, a legitimate online document signing platform.
The link in the document leads to the same CAPTCHA-protected website that drops a copy of Redline.
In this case, however, the ZIP also contained several non-malicious executables from the GTA V game, likely an attempt to fool antivirus tools by mixing the payload with innocuous files.
Avast also reports that the Redline payload was artificially inflated to 400MB in both cases, which, again, helps protect against antivirus scans. This same method was used in recent Emotet malware phishing campaigns.
Phishing actors are constantly looking for legitimate services that can be abused to promote their malicious emails, as these services help increase your inbox deliverability and phishing success rates.
Avast has shared full details of its findings with Adobe and dochub.com, and hopefully the two services will find a way to stop the abuse by malware operators.
