A image of a magnifying glass hovering over a computer file, looking at malware.

Adobe Acrobat Sign Used To Spread RedLine Malware

Adobe Acrobat has been used by cybercriminals to send emails containing malware, leading to RedLine malware. Acrobat Sign is a cloud-based service that enables registered users to sign, send, and track documents in real-time. It also allows users to send signature requests to anyone.

The service is being misused to send malicious emails that seem to have come from the software company. This allows the emails to bypass security measures and tricks recipients into believing the email is authentic.

The technique of exploiting genuine services is not a new strategy. Recently, similar cases have been reported, such as the exploitation of PayPal invoices, Google Docs comments, and other similar services.

Using Adobe Acrobat Sign for Malicious Activities

Adobe provides a cloud-based document signing service named Acrobat Sign, which users can easily register and use. The service allows registered users to send signature requests for documents to anyone. Once initiated, an email is automatically generated and sent to the designated recipient.

Cybercriminals can register for the service and exploit it to send messages containing links to documents (DOC, PDF, or HTML) hosted on Adobe’s servers (“eu1.documents.adobe.com/public/”) and then send targeted email addresses.

The documents have a link that directs visitors to a website asking them to solve a CAPTCHA to add credibility. Once completed, visitors are provided with a ZIP archive that contains a copy of the RedLine information stealer. This highly dangerous malware can retrieve account credentials, cryptocurrency wallets, credit cards, and other personal data stored on the compromised device.

This particular type of attack has been shown by Avast to be particularly targeted, as in a recent incident when the victim was the owner of a popular YouTube channel with a sizable follower base.

The victim was sent a document alleging copyright violation of music after clicking on a link included in the well-designed message received using Adobe Acrobat Sign. For those who have a YouTube channel, this is a convincing topic that they often encounter.

Fake claim of copyright violation (Adobe Acrobate)
Fake claim of copyright violation (Avast)

After visiting the link, the victim is asked to download a ZIP file that contains RedLine malware. Fortunately, the victim recognised that there was something suspicious about the message and decided not to click on the link.

After a few days, the attacker tried the attack again, unaffected by their first failure. In the email sent via Adobe, they added another link to raise the chances that the malware would be executed. In this case, the document was stored on the trusted online document signing site, dochub.com.

File with the malicious link
File with the malicious link (Avast)

The document’s URL takes the user to the same website that offers a download of RedLine malware and is verified by a CAPTCHA. In this case, the ZIP file also included a few harmless executable files that were connected to the Grand Theft Auto V video game.

According to Avast, the RedLine payload was artificially increased to 400MB in both occurrences. This strategy is applied to avoid antivirus scans. Recent phishing attacks involving the Emotet malware also used a similar strategy.

Recommendations

It is advised that people avoid downloading any files or programs that appear suspicious and were obtained over the internet. Also, one should be prepared for phishing and social engineering attacks.

Phishing scammers are always searching for trustworthy services that they may use to spread their malicious emails. These services help to improve their inbox delivery, which increases the success of their phishing attacks.

It is not advisable to click on links contained in emails received from unknown senders. Messages received from unknown sources should be carefully reviewed.

Phishing attacks are on the rise, and it is important to protect your organisation. One effective way to do this is by increasing user awareness about these types of attacks. Phishing Tackle is a great resource that can help you in this regard. They offer a free 14-day trial to help train your users to recognise and avoid phishing attacks.

Although technology can be helpful, it cannot spot 100% of phishing emails. Therefore, user education is important to minimising the impact of any successful attacks. Consulting with Phishing Tackle can provide valuable insights and tools to help you strengthen your defences against phishing attacks.

Recent posts