Security researchers at Avast have reported that threat actors are using Adobe Acrobat Sign to distribute Redline malware. Adobe Acrobat Sign is a free-to-try cloud-based e-signature service that allows users to send, sign, track, and manage electronic signatures. The abuse of this service allows the actors to send emails that are originating from the software company itself, which bypasses security protections and tricks the user into thinking they are receiving a trusted email.
The threat actors register with the service to send emails which link to a DOC, PDF, or HTML document hosted on Adobe’s servers. These documents then contain a link to a website that requests visitors to solve a CAPTCHA, adding to its legitimacy, before serving a ZIP archive that includes a copy of the Redline malware. In some instances, the ZIP also contained several non-malicious executables as well to masquerade the malicious payload. In all instances, the payload itself was artificially inflated to 400MB to help protect against anti-virus scans.