Cybercriminals abuse Adobe Acrobat Sign, an online document signing service, to distribute information-stealing malware to unsuspecting users.

The service is misused to send malicious software vendor-sourced emails to bypass security protections and trick recipients into trusting the received email.

The strategy of abusing legitimate services is not new. Similar cases observed recently include the abuse of PayPal invoices, Google Docs Commentsand more.

This new trend in cybercrime has been reported by researchers from Avastwhich warn of its effectiveness in bypassing security layers and deceiving targets.

Abuse of legitimate services

Adobe Acrobat Sign is a free, cloud-based electronic signature service that allows users to send, sign, track, and manage electronic signatures.

Threat actors register with the service and abuse it to send messages to target email addresses, which point to a document (DOC, PDF, or HTML) hosted on Adobe’s servers (“eu1.documents. adobe.com/public/”).

The documents contain a link to a website that asks visitors to solve a CAPTCHA to add legitimacy, then provide them with a ZIP archive containing a copy of the Redline infostealer.

Redline is dangerous malware capable of stealing account credentials, cryptocurrency wallets, credit cards and other information stored on the hacked device.

Avast has also spotted highly targeted attacks using this method, such as in a case where the target had a popular YouTube channel with many subscribers.

Clicking on the link in the specially crafted message sent via Adobe Acrobat Sign brought the victim to a document alleging music copyright infringement, a common and believable theme for YouTube channel owners.

This time, the document was hosted on dochub.com, a legitimate online document signing platform.

The link in the document leads to the same CAPTCHA-protected website that removes a copy of Redline.

In this case, however, the ZIP also contained several non-malicious GTA V game executables, likely an attempt to trick AV tools into mixing the payload with harmless files.

Avast also reports that the Redline payload was artificially inflated to 400MB in both cases, which again helps protect against virus scans. This same method was used recently Emotet Malware Phishing Campaigns.

Phishing actors are constantly on the lookout for legitimate services that can be abused to promote their malicious emails, as these services help to increase their inbox delivery and phishing success rates.

Avast has shared full details of its findings with Adobe and dochub.com, and we hope the two services find a way to stop abuse by malware operators.