Curated Intel Threat Report: Adobe Document Cloud credential harvesting campaign

 
Disclaimer - Curated Intelligence is a private trust group and members are able to publish their research under our banner without it being attributed to them. We thank our members for their contribution.

Members of Curated Intelligence have recently tracked a new global credential harvesting campaign targeting Microsoft accounts. This latest wave of phishing attacks masquerade as ‘shared document’ notification emails which deliver an embedded URL. If clicked, it leads to a fake Adobe Document Cloud application login page to harvest credentials for Outlook and Office 365.

Many countries were targeted in this campaign; however, the US and the UK have seen most of the targeting, followed by the Netherlands. Other targets possibly include Germany, France, Sweden, Portugal, Spain, Italy, India, Australia, Belgium, Slovenia, Poland, Chile, Norway, Romania, Canada, Turkey, Singapore, Japan, and Hong Kong.

The campaign is believed to have been delivered via a range of phishing emails that have varied in content depending on the target. Some emails requested that the user visit a landing page to view an “encrypted”, “scanned”, or “faxed” document (see Fig. 1). These initial links commonly used the Cloudflare content delivery network (CDN) workers[.]dev to evade anti-phishing detection systems.


Fig. 1 – Example of a Phishing email template sent in this campaign

Throughout this campaign, Curated Intel analysts identified that part of the infrastructure was deliberately tailored to its targets. This shows the threat actors had likely researched their targets before conducting launching phishing emails against specific targets from a predetermined list. 

The embedded URL in the phishing emails redirect users to a convincing web application, often delivered via another third-party CDN. The application was designed to trick the user into thinking they were logging in to the Adobe Document Cloud application. However, it collects and exfiltrates any login credentials entered by the user before redirecting them to the genuine ‘login.microsoftonline.com’ URL.

Fig. 2 – Credential stealing Adobe Document Cloud-themed landing page

What was notable about this campaign to Curated Intelligence analysts was that it had largely reused the same infrastructure for redirection links and to host landing pages. This includes “share[.]sender[.]net”, “worker[.]dev”, and “erpnext[.]com” hostnames. Over the course of a six-month period, Curated Intelligence analysts observed up to 134 unique URLs. There are almost certainly many more URLs related to this campaign, that were not identified by Curated Intelligence.

There was one common artefact about this campaign that enabled Curated Intelligence analysts to track this wave of attacks: the Firebase site “runn1rnl8xzmqeh0kvov[.]web[.]app” that was used for data exfiltration. This Google Firebase site was present in all the fake Adobe Document Cloud landing pages. Curated Intelligence reported the main Google Firebase site, along with our research, to the UK’s National Cyber Security Centre (NCSC) for enforcement action.

This campaign was traced back to at least August 2021 and has targeted organisations from a variety of industry verticals. The graphs below (see Fig. 3 and Fig. 4) show distribution of phishing targets based on industry vertical and by country the organisation is based.


Fig. 3 – Phishing targets per industry vertical


Fig. 4 – Phishing targets per country

The threat actor behind the attacks must have had access to considerable resources due to the sheer breadth of the infrastructure used and the effort taken to stand it up. It is believed that the threat actor behind the campaign is a cybercriminal group aimed at business email compromise (BEC) for financial gain. The size of the infrastructure used in this campaign, however, does show considerable effort and resource.

Curated Intelligence analysts also identified that many of the organisations targeted in this campaign were small to medium upstream suppliers to critical national infrastructure. If compromised successfully, these could potentially be used by these threat actors as a foothold from which more significant organizations may be targeted.

Indicators of Compromise (IOCs)

Data Exfiltration site:

  • runn1rnl8xzmqeh0kvov[.]web[.]app

Abused Legitimate Services:

  • share[.]sender[.]net
  • workers[.]dev
  • erpnext[.]com
  • onedrive[.]live[.]com
  • 1drv[.]ms
Phishing URLs:

Cloudflare Workers phishing links

hxxps://adobe-cloud[.]secured-document[.]workers[.]dev/

hxxps://adobe-owas-forest-40ff[.]sofsusjolmngung[.]workers[.]dev/

hxxps://auth10-services-adobe-creativecloud[.]authcloud[.]workers[.]dev/

hxxps://autumn-waterfall-48b2[.]purchase-doc-blliblju[.]workers[.]dev/

hxxps://bitter-rice-cd6b[.]document-write-inv[.]workers[.]dev/

hxxps://bitter-shadow-cf82[.]document-protections[.]workers[.]dev/

hxxps://cloud[.]asset-documeeent[.]workers[.]dev/

hxxps://docs-dew-6406[.]retupamyte[.]workers[.]dev/

hxxps://docs-onlinsecurity-sun-6ac8[.]docsnetaseltic[.]workers[.]dev/

hxxps://docs-verify-c671[.]thajetiase[.]workers[.]dev/

hxxps://document[.]in-ouathh[.]workers[.]dev/

hxxps://document[.]validation-ogg[.]workers[.]dev/

hxxps://file[.]sheet-plugin[.]workers[.]dev/

hxxps://floral-smoke-53e7[.]document-sharedds[.]workers[.]dev/

hxxps://fragrant-rice-3226[.]document-shareds[.]workers[.]dev/

hxxps://late-heart-722a[.]docs-coanyouamp[.]workers[.]dev

hxxps://lively-star-1117[.]document-signoauth[.]workers[.]dev/

hxxps://lucky-fog-25e7[.]storage-document-inc[.]workers[.]dev/

hxxps://mdqw[.]qttzjapy2802[.]workers[.]dev/usr[.]html

hxxps://odd-field-9e1d[.]microsft-docs-foecisayant[.]workers[.]dev/

hxxps://proud-sun-4c38[.]document-protections[.]workers[.]dev/

hxxps://red-firefly-5986[.]document-beoent[.]workers[.]dev/

hxxps://secure-document-2b67[.]adobedocument[.]workers[.]dev/

hxxps://soft-morning-9a22[.]document-write-inv[.]workers[.]dev/

hxxps://soft-resonance-15e1[.]document-inv3289[.]workers[.]dev/

hxxps://still-adobe-sign-ce12[.]utkerdihed[.]workers[.]dev/

hxxps://sweet-tooth-e24f[.]files-document-coeed[.]workers[.]dev/

hxxps://wandering-butterfly-2d13[.]document-remit[.]workers[.]dev/

hxxps://yuihkjnm[.]ck9xds6orx4552[.]workers[.]dev/

Erpnext phishing links

hxxp://hayburysearch[.]erpnext[.]com/haybury

hxxps://3dlacrosse[.]erpnext[.]com/3d-lacrosse

hxxps://aainsla[.]erpnext[.]com/american-access-casualty-company

hxxps://advivo[.]erpnext[.]com/advivo

hxxps://afm-org[.]erpnext[.]com/the-american-federation-of-musicians

hxxps://air-equipments[.]erpnext[.]com/air-equipment

hxxps://amcham[.]erpnext[.]com/american-chamber

hxxps://amsysnl[.]erpnext[.]com/amsys

hxxps://apollotheater[.]erpnext[.]com/apollo-theater

hxxps://avesqos[.]erpnext[.]com/avesqo

hxxps://aviapartners[.]erpnext[.]com/aviapartner

hxxps://balguard[.]erpnext[.]com/balguard-engineering-ltd

hxxps://barcoenergy[.]erpnext[.]com/barco-energy

hxxps://bebat-be[.]erpnext[.]com/bebat

hxxps://beyondkey[.]erpnext[.]com/beyondkey-past-dues-lnvoices-005421-c6951c1561b1a0baa3ce10024a0daafab34359352526download25&

hxxps://bishopcleancare[.]erpnext[.]com/bishop-clean-care

hxxps://bmspc[.]erpnext[.]com/bristol-metal-spraying-and-protective-coatings-ltd

hxxps://brockskes-nl[.]erpnext[.]com/brockskes

hxxps://brownsterlings[.]erpnext[.]com/brown-&-sterling

hxxps://cfao-fr[.]erpnext[.]com/the-cfao-group

hxxps://cmgt-org[.]erpnext[.]com/community-management

hxxps://crd-rr[.]erpnext[.]com/crd-rr-past-dues-lnvoices-005421-c6951c1561b1a0baa3ce10024a0daafab34359352526download25

hxxps://crsteel[.]erpnext[.]com/capital-reinforcing

hxxps://ctl-inc[.]erpnext[.]com/cory-tucker-&-larrowe

hxxps://divalco[.]erpnext[.]com/divalco

hxxps://etcppt[.]erpnext[.]com/etcp

hxxps://eutect-de[.]erpnext[.]com/eutect-gmbh

hxxps://fabricationsolutions[.]erpnext[.]com/fabrication-solutions-inc

hxxps://famsbrands[.]erpnext[.]com/fam-brands

hxxps://fancypakbrand[.]erpnext[.]com/fancy-pak-brand-inc

hxxps://fpeseals[.]erpnext[.]com/fpe-seals

hxxps://ghchospice[.]erpnext[.]com/ghc-hospice

hxxps://heclanl[.]erpnext[.]com/hecl

hxxps://hplegal[.]erpnext[.]com/hammond-partnership

hxxps://ies-uk[.]erpnext[.]com/ies

hxxps://intermat[.]erpnext[.]com/intermat

hxxps://invertedmusic[.]erpnext[.]com/

hxxps://invertedmusic[.]erpnext[.]com/inverted-music

hxxps://iskramehanizmi-si[.]erpnext[.]com/iskra-mehanizmi

hxxps://jacot-nl[.]erpnext[.]com/jacot-audiovisueel

hxxps://jobasi-sa[.]erpnext[.]com/jobasi

hxxps://jsmltd-jp[.]erpnext[.]com/jsm-ltd?mc_phishing_protection_id=28048-c6nembf0s0v96ql4hen0

hxxps://jtdinc[.]erpnext[.]com/tisdel-distributing

hxxps://kis-no[.]erpnext[.]com/kis

hxxps://laborlawdenver[.]erpnext[.]com/labor-law-denver

hxxps://leva-eu[.]erpnext[.]com/leva-eu

hxxps://linacservices[.]erpnext[.]com/linac-services-limited

hxxps://local802afm[.]erpnext[.]com/local-802

hxxps://lrorg[.]erpnext[.]com/lloyd%27s-register

hxxps://lubinandenoch[.]erpnext[.]com/lubin-&-enoch

hxxps://madaluxes[.]erpnext[.]com/madaluxe-group

hxxps://migizigroup[.]erpnext[.]com/migizi-group

hxxps://mvpantarhei[.]erpnext[.]com/mv-panta-rhei

hxxps://neelevat[.]erpnext[.]com/-neele-vat-logistics

hxxps://netchange[.]erpnext[.]com/netchange

hxxps://nordtexts[.]erpnext[.]com/nordtext

hxxps://nptwf[.]erpnext[.]com/nexperia-newport

hxxps://nycallliance[.]erpnext[.]com/nyc-alliance

hxxps://oceanwidecrew[.]erpnext[.]com/oceanwide

hxxps://ohi-pt[.]erpnext[.]com/omni-helicopter-internationa

hxxps://petrotechinc[.]erpnext[.]com/petrotech

hxxps://phantomchef[.]erpnext[.]com/phantom-chef

hxxps://polytec[.]erpnext[.]com/polytec

hxxps://powerling[.]erpnext[.]com/powerling

hxxps://rieder-verdonck[.]erpnext[.]com/rieder-&-verdonck

hxxps://rtff-ie[.]erpnext[.]com/rtff-business-services-ltd

hxxps://sadiv[.]erpnext[.]com/sadiv

hxxps://safs-uk[.]erpnext[.]com/safs-ltd

hxxps://savageengineering[.]erpnext[.]com/savageengineeringservices-past-dues-lnvoices-005421-c6951c1561b1a0baa3ce10024a0daafab34359352526download25

hxxps://sb-international[.]erpnext[.]com/s-b-international

hxxps://sfp-uk[.]erpnext[.]com/sfp-uk-limited

hxxps://slblarkhall[.]erpnext[.]com/ferwedafgartwgvdfvwgt4ghrwgrwethnrttryhytee

hxxps://smc-pl[.]erpnext[.]com/smc-industrial-automation-polska

hxxps://snovalley[.]erpnext[.]com/snovalley

hxxps://speedlinks[.]erpnext[.]com/speedlink

hxxps://telade[.]erpnext[.]com/telade

hxxps://thoms-aviation[.]erpnext[.]com/thoms-aviation

hxxps://tnmarine-nl[.]erpnext[.]com/true-north-marine-b[.]v

hxxps://trescon[.]erpnext[.]com/3con

hxxps://trinityavl[.]erpnext[.]com/trinity-avl

hxxps://xmaxerox[.]erpnext[.]com/xma-technological-solutions

MS OneDrive phishing links

hxxps://1drv[.]ms:443/o/s!BFXzhgvUz7FEkw6-FODuiMdZoIQ4?e=iYFni00oxk2hGp3PE_Znsw&at=9

hxxps://onedrive[.]live[.]com/redir?resid=EB60680693E79E45!324&authkey=!AN0n1unp39Prpvk&ithint=file%2cpdf&e=TvQQee

Share Sender phishing links

hxxps://share[.]sender[.]net/campaigns/2G8r/files

hxxps://share[.]sender[.]net/campaigns/2H1f/files

hxxps://share[.]sender[.]net/campaigns/2PDU/filess

hxxps://share[.]sender[.]net/campaigns/2PXQ/messages

hxxps://share[.]sender[.]net/campaigns/2QWO/documentsss

hxxps://share[.]sender[.]net/campaigns/2QZw/emailssss

hxxps://share[.]sender[.]net/campaigns/2R1o/broadleafgame

hxxps://share[.]sender[.]net/campaigns/2RUB/handlesafe

hxxps://share[.]sender[.]net/campaigns/2TCl/messagazss

hxxps://share[.]sender[.]net/campaigns/2wqv/docs

hxxps://share[.]sender[.]net/campaigns/2yjh/fhjdh

hxxps://share[.]sender[.]net/campaigns/2yJP/files

hxxps://share[.]sender[.]net/campaigns/2yll/filex

hxxps://share[.]sender[.]net/campaigns/2yn5/docs

hxxps://share[.]sender[.]net/campaigns/2ynC/files

hxxps://share[.]sender[.]net/campaigns/3aeY/docsx

hxxps://share[.]sender[.]net/campaigns/3ahf/filesx

hxxps://share[.]sender[.]net/campaigns/3b3z/propos

hxxps://share[.]sender[.]net/campaigns/3eX7/shaffnerheaney

hxxps://share[.]sender[.]net/campaigns/3f5N/keelsavocats

hxxps://share[.]sender[.]net/campaigns/3fDw/audixia

hxxps://share[.]sender[.]net/campaigns/3fl2/proposedme