Technical Analysis: The “RatPressto” Phishing Kit Exploiting Adobe Document Cloud Trust

Cyber threat actors are currently executing a sophisticated social engineering campaign that weaponizes the inherent trust users place in the Adobe Document Cloud ecosystem. By deploying deceptive landing pages, attackers are successfully delivering remote access trojans (RATs) to high-value targets, specifically within the financial sector.

The backbone of this operation is a highly modular phishing kit identified as “RatPressto.” This toolkit is designed to bypass traditional perimeter defenses by leveraging compromised WordPress installations and legitimate software binaries to blend into standard enterprise network traffic.

Attack Vector and Execution Chain

The infection lifecycle begins with targeted phishing emails masquerading as legitimate corporate document notifications. These messages typically claim that a secure, high-priority file has been uploaded to Adobe Document Cloud due to strict confidentiality or file-size constraints. The call to action—a “View File” hyperlink—directs the victim to a compromised WordPress site hosting a pixel-perfect replica of the Adobe login or document preview interface.

A key technical distinction in the RatPressto campaign is its shift away from traditional malicious attachments. Instead, it utilizes a staged, web-based delivery mechanism:

  • Visual Deception: Upon visiting the link, the user is presented with a convincing “download complete” status message, inducing a false sense of security.
  • Silent Payload Delivery: While the user interacts with the UI, a hidden <iframe> executes in the background, silently initiating the download of a malicious payload.
  • Living-off-the-Land (LotL): The payload typically installs ConnectWise ScreenConnect. While ScreenConnect is a legitimate remote administration tool, the attackers repurpose its signed binaries to establish persistent, encrypted command-and-control (C2) channels that often evade detection by standard EDR (Endpoint Detection and Response) solutions.

Researchers from Fortra (FIRE) noted that the kit is remarkably consistent. Attackers utilize the same HTML templates and branding across multiple domains, altering only victim-specific metadata to increase the perceived legitimacy of the lure.

Infrastructure and Evasion Tactics

The campaign exhibits a high level of operational maturity through several advanced evasion techniques:

1. Reputation Hijacking: To avoid being flagged by web reputation filters, attackers stage secondary payloads on legitimate platforms like GitHub. By using GitHub as a distribution point, the traffic appears as routine developer activity.

2. Exploitation of CMS Vulnerabilities: The prevalence of compromised WordPress sites indicates a systematic exploitation of unpatched plugins or weak administrative credentials. This allows attackers to host phishing content on domains that may already possess a neutral or positive reputation.

3. Environmental Awareness: The RatPressto kit includes defensive features such as IP filtering, mobile device detection, and the integration of Cloudflare telemetry. These mechanisms allow the attackers to verify the environment and ensure they are interacting with a real victim rather than a security researcher or automated sandbox.

4. Geographic Profiling: Preliminary infrastructure analysis has identified patterns suggesting the hosting and domain registration may originate from São Paulo, Brazil, though formal attribution remains at medium confidence.

Mitigation and Defensive Recommendations

To defend against the RatPressto campaign, security operations centers (SOC) should implement the following controls:

  • Monitor Remote Access Tools: Implement strict visibility and alerting for the installation or execution of remote administration tools (like ScreenConnect) on non-administrative workstations.
  • Hardening Web Assets: Ensure all public-facing WordPress installations are patched and that administrative interfaces (/wp-admin) are restricted via IP allowlisting or Multi-Factor Authentication (MFA).
  • Email Security: Enhance mail gateway policies to flag or quarantine emails containing links to newly registered domains or suspicious redirects.
  • User Awareness: Train employees to verify document requests through out-of-band communication channels before interacting with unexpected “secure file” links.

Indicators of Compromise (IOCs)

Category Indicator
Domain cloud.zistopstoabetterlife[.]com
Domain iconclinic[.]ae
Domain ampliawifi[.]com
Domain gaheempreendimentos[.]com
Domain vetcarebd[.]xyz
Domain nabellacouture[.]com
Domain birexo[.]icu
Domain abpmed[.]com
Domain c3po3090[.]com[.]br
Infrastructure IP 84[.]32[.]41[.]64
Infrastructure IP 177[.]154[.]191[.]148
File Artifact ScreenConnect.ClientSetup.msi
File Artifact microsoftceo.exe
File Artifact ceo.msi

Note: IoCs have been defanged to prevent accidental execution.

Related Articles

Back to top button