Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Adobe Acrobat Sign Abused to Distribute Malware

Cybercriminals are abusing the Adobe Acrobat Sign service in a campaign distributing the RedLine information stealer malware.

Cybercriminals have been observed abusing Adobe’s Acrobat Sign service to deliver emails leading to a RedLine stealer infection, cybersecurity firm Avast warns.

Acrobat Sign is a cloud service that allows registered users to sign, send, and track documents in real-time, as well as to send signature requests to anyone.

When a signature request is sent, Acrobat Sign automatically generates and sends an email to the recipient, with a link to the document, which can be a PDF, Word, HTML, or another file type.

Given that the message is sent from a legitimate Adobe email address and the document for which the signature request is sent is hosted on Adobe’s servers, the message bypasses any protections that the victim might have in place.

Acrobat Sign also allows the sender to add text to that email, and cybercriminals are abusing this feature to lure unsuspecting recipients into downloading malware.

As part of the observed attack, threat actors sent signature requests for documents that contain a link to a CAPTCHA page that in turn would take the victim to the download page for a ZIP file containing the RedLine stealer.

First seen in early 2020, RedLine can harvest and exfiltrate system information, along with data typically saved in browsers, such as steal credentials, credit card data, and crypto wallet information. 

Displaying a fake notice of copyright infringement, the document analyzed by Avast was specifically created to target the owner of a popular YouTube channel. However, the intended victim realized that the document might not be legitimate and did not click the link.

Advertisement. Scroll to continue reading.

A few days later, the attackers targeted the recipient again, this time with a request that also included a link to a page hosted on dochub.com, another document signing service.

If the recipient clicked on the link to review and sign the document, they were once again taken to Adobe and presented with the same document as before. A link included in the dochub.com page would take the intended victim to the same CAPTCHA page.

In addition to the RedLine stealer, the ZIP archive used in the second attack included some benign video game executables.

Likely in an attempt to bypass antivirus engines, the attackers artificially increased the size of both malware samples to over 400 megabytes.

“This abuse of Adobe Acrobat Sign to distribute malware is a new technique used by attackers that’s targeted to a specific victim. Our team has yet to detect other attacks using this technique; nevertheless, we fear that it may become a popular choice for cybercriminals in the near future. This is because it may be able to avoid different anti-malware filters, which increases its chances of reaching the victims,” Avast concludes.

Related: Microsoft OneNote Abuse for Malware Delivery Surges

Related: Attackers Can Abuse GitHub Codespaces for Malware Delivery

Related: Microsoft Patches MotW Zero-Day Exploited for Malware Delivery

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.