Cybercriminals have been abusing Adobe’s Acrobat Sign service to deliver malicious emails that lead to a RedLine stealer infection, according to cybersecurity firm Avast. Acrobat Sign is a cloud service that allows registered users to send signature requests to anyone and it automatically generates and sends an email with a link to the document. The legitimate Adobe email address and the document hosted on Adobe’s servers allow this message to bypass security protections.
The cybercriminals used the opportunity to add a link to a CAPTCHA page that would take the victim to the download page for a ZIP file containing the RedLine stealer. First observed in 2020, RedLine is capable of harvesting and exfiltrating system information, along with data saved in browsers, such as passwords, credit card data, and crypto wallet information.
The attackers sent a signature request to the owner of a popular YouTube channel, but the intended victim realized that the document might not be legitimate and did not click the link. A few days later, the victim was targeted again, this time with a request that also included a link to a page hosted on dochub.com. If the recipient clicked on the link, they were taken to the same CAPTCHA page. The same ZIP archive used in the second attack included some benign video game executables, likely to bypass antivirus engines.
Avast concluded that the attack technique of abusing Adobe Acrobat Sign to distribute malware is a new and effective way to target specific victims and is likely to become popular among cybercriminals in the near future.
Key Points:
• Cybercriminals are abusing Adobe’s Acrobat Sign service to deliver malicious emails.
• The emails bypass security protections due to the legitimate Adobe email address and document hosted on Adobe’s servers.
• The emails lead to the download page for a ZIP file containing the RedLine stealer.
• The attackers included some benign video game executables in the ZIP archive to bypass antivirus engines.
• This attack technique is likely to become popular among cybercriminals in the near future.