Malware scam: Abused Acrobat Sign service to inject malware
If an email comes from Adobe and asks for a digital signature, there can’t be anything bad about it – potential victims of a newly discovered malware scam should obviously think so. As reported by the antivirus company Avast, cybercriminals have misused the Adobe Sign cloud service to send their victims trustworthy-looking emails. Ultimately, however, recipients end up with a malware download.
Acrobat Sign is a cloud service that allows registered users to send signature requests for documents to any recipient. Adobe Sign creates and sends an email to the recipient that contains a link to the document – PDF, Word documents, HTML files and more. Adobe hosts the documents directly, explains Avast in a blog post about the new scam. Senders can also add text that is built into the mail. Cyber criminals can easily start here.
Malware scam: Adobe as sender
The emails Avast was able to analyze came directly from the legitimate Adobe address [email protected], however the displayed name was modified. A “Review and sign” button in the mail opens a link to Adobe’s cloud storage at
eu1.documents.adobe.com/public/. This is also a legitimate and unsuspicious address. The document uploaded there by the cyber criminals contains another link that is intended to give victims the impression that they have access to the content to be signed.
Clicking on the link now redirects victims to another website containing a hard-coded pseudo-Captcha. However, provided the correct string of characters has been entered and submitted, the site will return a ZIP file containing a variant of the Redline Trojan. Its programmers want to use it to steal passwords, crypto wallets and more.
In the specific example, the attackers specifically chose the victim. It was a YouTube channel owner with hundreds of thousands of subscribers, so the made-up story in the malware email fits the victim well. According to Avast, the recipient found the email a bit “phishy” and therefore didn’t click the link. The attackers made another attempt, which started via another Sign service, but then finally tried again via Adobe Sign to cheer the victim with malicious code.
The scam is perfidious. Adobe emails and Adobe domains are likely to be classified as trustworthy by many protection products. Recipients of such emails also trust the official Adobe address more than any fancy addresses. The attackers inflated the malware in the ZIP file to over 400 megabytes in size; they are essentially zero-padded. The idea is probably that many virus scanners limit scans to a fraction of the file or behave differently with large files. It’s another, albeit clumsy, attempt to evade detection.
Avast sees the observed attack as a new technique to target potential victims. Although the researchers only observed this attack, they believe it is likely that this will soon become a popular scam. It bypasses some malware filters and thus reaches more potential victims, which makes it attractive.
Trustworthy emails are a common vehicle used by cybercriminals to plant malware on potential victims. For example, the recently returned Emotet Trojan now uses OneNote files as email attachments to trick recipients into running malware.