Attackers Abuse Genuine Document Signing Service to Spread Redline Info-stealer

Brief about Adobe Acrobat Sign

• Adobe Acrobat Sign is an e-signature service that allows users to upload documents to the cloud, and share them with intended users for their electronic signatures.
• This free trial service lets users upload their documents to Adobe's public servers located at eu1.documents.adobe[.]com/public/.
• Once the documents are uploaded, users can share them with specific recipients by using Adobe's email-based notification service. This service allows users to include personalized text when sharing their documents.

Coming to the exploit

• They invite potential victims to review and sign the document, which is received as a genuine email from Adobe (adobesign@adobesign[.]com).
• The email contains custom text from the attackers, indicating that the reader will need to go through the document before signing it. 
• The link in the document takes the victims to another site, protected via a hardcoded CAPTCHA. Subsequently, victims are urged to download a ZIP file that contains Redline.

Highly-focused attacks

• In one specific case, a fake email was received by a popular YouTube channel owner, claiming to be a music copyright infringement notice (hosted on Adobe Acrobat Sign) from a music company.
• When the YouTube channel owner did not click on the link, attackers made another attempt by sending another fake message via another document signing service dochub[.]com. It redirects the user to the Adobe Acrobat Sign document.
• All attempts eventually redirect the victim to the download site hosting Redline. 

Recent cloud services abuses

• Last month, a group of mysterious hackers, dubbed Nevada Group, targeted thousands of cloud servers across the U.S. and Europe, by exploiting an easy-to-fix vulnerability. 
• Around the same time, China-based 8220 Gang was targeting poorly secured cloud servers with the Tsunami IRC bot and custom cryptominer.

Concluding notes