Deceptive PDF Disguised as RingCentral Leads to Phishing Attacks
Overview
The SonicWall Capture Labs threat research team has observed PDF files masquerading as Ring Central, which is a communication and collaboration platform. This is achieved by incorporating malicious URLs with the intention of executing social engineering attacks for credential theft.
Infection Cycle
The PDF document bears the message, "You have a new voice message." alongside the Ring Central logo. It prompts the user to take action with the instruction, "Click here to listen." However, upon clicking the provided link, the user is redirected to an adobe privileged host URL. Malware authors are abusing sites (or hosts) that identify privileged locations that host trusted content (in this case, an Adobe URL).
Figure 1: PDF document
Upon accessing the Adobe URL, the user is initially presented with a progress bar, cleverly designed to simulate the loading process of a voice message.
Figure 2: Fake voice message loading
Subsequently, a webpage unfolds, adorned with the Ring Central logo and featuring a conspicuous button labelled, "Listen to Voice Message." This orchestrated sequence is deliberately crafted to mislead individuals, creating a false sense of legitimacy by leveraging familiar branding elements. The user, encountering the seemingly authentic environment, may be enticed to click on the provided button, unknowingly falling victim to the deceptive tactics employed by the malicious actors. It underscores the sophistication of the social engineering technique, as it exploits trust in recognizable visuals to enhance the effectiveness of the fraudulent scheme.
Figure 3: Fake Ring Central on Adobe domain
Following the user’s click on the provided link in the PDF file, a redirection occurs, leading them to another malicious URL. At this destination, the user is presented with a phishing page cleverly designed to imitate the Microsoft sign-in interface. The deceptive page is crafted to closely resemble the legitimate Microsoft sign-in page, tricking users into believing they are interacting with an authentic platform.
Figure 4: Microsoft phishing page
On this fraudulent Microsoft sign-in page, unsuspecting users may be prompted to enter their login credentials — such as usernames and passwords — under the false pretense of accessing the supposed voice message or related content. However, the entered information is captured by malicious actors for unauthorized access and potential misuse.
Non-existence of this malicious file (at the time of writing this blog) on popular malware search portals like the Virus Total and the Reversing Labs indicates its spreading potential:
Figure 5: Virus Total
This multi-stage attack involves the initial lure of a fake voice message in the PDF, the redirection to a malicious URL, and the presentation of a deceptive Microsoft sign-in page. It highlights the need for users to exercise caution and verify the authenticity of online interactions, especially when prompted to provide sensitive information, to prevent falling victim to phishing attempts and safeguard personal security.
SonicWall Protections
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: MalAgent.A_1994
This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.
IOCs
- 85a38010b20ce02fd0387b1e36e0ab68a2d87d39d754434e6929dca67e9bc962
Relevant Links
- hxxps://new[.]express[.]adobe[.]com/webpage/jWVSJkpCewb2X
- hxxps://zqpfl[.]ipisecti[.]ru/97c9zhbt/