Cybercriminals are exploiting Adobe Acrobat Sign, an online document signing service, to trick users into downloading malware that steals their personal information.
In order to get around security measures and dupe users into believing the email they got is legitimate, the service is being misused to send malicious emails that appear to come from the software business.
The practice of misusing legal services is not new. Abuse of Google Documents comments, PayPal invoicing, and other platforms are current examples of situations similar to this.
Researchers at Avast alerted the public to this new cybercrime trend and cautioned against its efficiency in evading security measures and deceiving targets.
Exploiting legal services
Adobe Acrobat Sign is a cloud-based e-signature service that allows users to send, sign, track, and manage electronic signatures for free.
Threat actors register with the service and use it to send messages to certain email addresses that contain a link to a document published on Adobe's servers ("eu1.documents.adobe.com/public/").
The documents include a link to a website that asks visitors to complete a CAPTCHA in order to add authenticity before serving them a ZIP archive containing a copy of the Redline information stealer.
Redline is a dangerous spyware that can steal account credentials, cryptocurrency wallets, credit cards, and other data from a compromised device.
Avast has also detected highly targeted attacks using this strategy, such as one in which the victim had a popular YouTube channel with a large number of subscribers.
The victim was taken to a document claiming music copyright infringement after clicking on the link in the specially-crafted letter sent via Adobe Acrobat Sign, a popular and credible theme for YouTube channel owners.
This time, the document was stored on dochub.com, a renowned website for online document signing.
The document's link points to the same CAPTCHA-protected website where a download of Redline is made available.
The ZIP file in this instance, however, also included a number of executables from the GTA V game that weren't harmful, probably in an effort to confuse antivirus software programmes.
Additionally, according to Avast, the Redline payload in both instances was artificially inflated to 400MB, aiding in the prevention of anti-virus scans. Recent phishing attacks utilising the Emotet malware employed this same technique.
Phishing actors are continually looking for genuine services that may be misused to advertise their malicious emails, as these services enhance their mailbox delivery and phishing success rates.
Adobe and Dochub.com have been given full access to Avast's findings, and it is hoped that these two services will discover a means to deter malware operators from abusing their services.