Security researchers at Avast have reported that threat actors are using Adobe Acrobat Sign to distribute Redline malware. Adobe Acrobat Sign is a free-to-try cloud-based e-signature service that allows users to send, sign, track, and manage electronic signatures. The abuse of this service allows the actors to send emails that are originating from the software company itself, which bypasses security protections and tricks the user into thinking they are receiving a trusted email.
The threat actors register with the service to send emails which link to a DOC, PDF, or HTML document hosted on Adobe’s servers. These documents then contain a link to a website that requests visitors to solve a CAPTCHA, adding to its legitimacy, before serving a ZIP archive that includes a copy of the Redline malware. In some instances, the ZIP also contained several non-malicious executables as well to masquerade the malicious payload. In all instances, the payload itself was artificially inflated to 400MB to help protect against anti-virus scans.
While it isn’t necessarily a novel tactic to utilize legitimate resources to aid in phishing campaigns, it is an effective one. Often when an end-user receives a phishing email from a legitimate source such as Adobe Sign, it makes them much more likely to fall for it as many users don’t know how to properly identify a phishing email. Many times, training around phishing states to look for things such as a suspicious title, suspicious sender, or mistakes in the email itself, which a tactic such as the one seen used here avoids. The best defense against a phishing campaign such as this would be to ensure that end-users are educated not only on common ways to identify phishing emails, but on more sophisticated techniques as well. This could be done through either quarterly education, or through internal phishing tests over the course of the year utilizing these new tactics.