Cybercriminals have been observed abusing Adobe’s Acrobat Sign service to deliver emails leading to a RedLine stealer infection, cybersecurity firm Avast warns.
Acrobat Sign is a cloud service that allows registered users to sign, send, and track documents in real-time, as well as to send signature requests to anyone.
When a signature request is sent, Acrobat Sign automatically generates and sends an email to the recipient, with a link to the document, which can be a PDF, Word, HTML, or another file type.
Given that the message is sent from a legitimate Adobe email address and the document for which the signature request is sent is hosted on Adobe’s servers, the message bypasses any protections that the victim might have in place.
Acrobat Sign also allows the sender to add text to that email, and cybercriminals are abusing this feature to lure unsuspecting recipients into downloading malware.
As part of the observed attack, threat actors sent signature requests for documents that contain a link to a CAPTCHA page that in turn would take the victim to the download page for a ZIP file containing the RedLine stealer.
First seen in early 2020, RedLine can harvest and exfiltrate system information, along with data typically saved in browsers, such as steal credentials, credit card data, and crypto wallet information.
Displaying a fake notice of copyright infringement, the document analyzed by Avast was specifically created to target the owner of a popular YouTube channel. However, the intended victim realized that the document might not be legitimate and did not click the link.
A few days later, the attackers targeted the recipient again, this time with a request that also included a link to a page hosted on dochub.com, another document signing service.
If the recipient clicked on the link to review and sign the document, they were once again taken to Adobe and presented with the same document as before. A link included in the dochub.com page would take the intended victim to the same CAPTCHA page.
In addition to the RedLine stealer, the ZIP archive used in the second attack included some benign video game executables.
Likely in an attempt to bypass antivirus engines, the attackers artificially increased the size of both malware samples to over 400 megabytes.
“This abuse of Adobe Acrobat Sign to distribute malware is a new technique used by attackers that’s targeted to a specific victim. Our team has yet to detect other attacks using this technique; nevertheless, we fear that it may become a popular choice for cybercriminals in the near future. This is because it may be able to avoid different anti-malware filters, which increases its chances of reaching the victims,” Avast concludes.
Related:Microsoft OneNote Abuse for Malware Delivery Surges
Related:Attackers Can Abuse GitHub Codespaces for Malware Delivery
Related:Microsoft Patches MotW Zero-Day Exploited for Malware Delivery