Cybercriminals have been observed abusing Adobe’s Acrobat Sign service to deliver emails leading to a RedLine stealer infection, cybersecurity firm Avast warns.
Adobe Acrobat Sign is an online tool designed to help users with electronic document signing. Additionally, the service allows users to send signature requests via Adobe-generated emails. Hackers are exploiting the capability to add text to these emails by including a link to a document hosted on a legitimate Adobe server (eu1.documents.adobe.com/public/).
With Adobe-generated emails, attackers can trick unsuspecting recipients into believing they can preview the document when, in reality, the link redirects to another site. The site prompts the user to complete a hardcoded Captcha quiz, then directs them to download a ZIP archive which includes RedLine information stealer.
How the malware executes it ?
Avast researchers observed that attackers are abusing this service to distribute Redline. They register for the service via a fake email and upload a document containing a link to their website.
- They invite potential victims to review and sign the document, which is received as a genuine email from Adobe (adobesign@adobesign[.]com).
- The email contains custom text from the attackers, indicating that the reader will need to go through the document before signing it.
- The link in the document takes the victims to another site, protected via a hardcoded CAPTCHA. Subsequently, victims are urged to download a ZIP file that contains Redline.
To avoid being detected, they are making the trojan file larger than 400MB by adding zeros, which the victim will not notice as the file is compressed. Although not certain, the motive could be to evade antivirus software that behaves differently with larger files.