Malware spread through infected AutoCAD files targeted firms in Peru to collect and dispatch stolen drawings to email accounts located in China, researchers said.
Security researchers at ESET have uncovered a
malware campaign targeting AutoCAD drawings in an apparent attempt at
AutoCAD is a widely used computer-aided
design application that has been in use worldwide since the mid-1980s. It
allows drafting in both two-dimensional and three-dimensional formats. The
campaign appears to be primarily targeting Peru and it has resulted in
thousands of AutoCAD files being leaked, according to ESET.
"We do not have enough evidence to say
which industry was being targeted," said ESET malware researcher
Pierre-Marc Bureau. "AutoCAD can be used to create all kinds of
design documents. The impact of the thefts of such documents can be
big. For example, imagine your company has prepared the blueprints for a
skyscraper and somebody steals this work and bids on the same contract with a
lower price. Potential losses can be huge."
A small number of infections of the worm,
which ESET calls ACAD/Medre.A, have appeared outside Peru. Except for China,
however, they are all nations that are either near Peru or have a large
Spanish-speaking population. The infection occurs when a victim opens an
AutoCAD document with the malicious LISP code. Once the code is launched, it
will create copies of itself in multiple locations to spread to other systems.
Using ESET's LiveGrid early-warning system,
researchers were able to uncover indications at certain URLs that make it clear
a specific Website supplied the AutoCAD template infected with ACAD/Medre.A
that appears to be causing the localized spike in infections, Righard
Zwienenberg, ESET senior research fellow, noted
in a blog post
"If it is assumed that companies which
want to do business with the entity have to use this template, it seems logical
that the malware mainly shows up in Peru and neighboring
countries," Zwienenberg blogged. "The same is true for larger
companies with affiliated offices outside this area that have been asked to
assist or to verify theby theninfected project. ... The sample is able to
infect versions 14.0 to 19.2 of AutoCAD by modifying the corresponding native
startup file of AutoLISP (acad.lsp) by being named as the auto-load file
acad.fas. It employs Visual Basic Scripts that are executed using the
Wscript.exe interpreter that has been integrated in the Windows operating
system since Windows 2000.
It appears that the author of the malware
assumes that his code will even work for future versions of AutoCAD as it has
support for the AutoCAD versions that will be released in 2013, 2014 and
2015," he added.
After some configuration, ACAD/Medre.A would
send various AutoCAD drawings that are opened by email to a recipient with an email
account at Chinese Internet provider 163.com. All totaled, 23 accounts at
163.com and 21 accounts at qq.com, another Chinese Internet provider, were used
for relay purposes.
"Remarkably, this is done by accessing
smtp.163.com and smtp.qq.com with the different account credentials," the
research fellow stated. "It is ill-advised to have Port 25 outgoing
allowed other than to your own ISP. Obviously, the Internet Providers in Peru
do allow this. Also, it is reasonable to assume that the companies that are a
victim of this suspected industrial espionage malware do not have their
firewalls configured to block Port 25 either."
According to Bureau, there is no
command-and-control server involved in this operation. The malware simply
reports every stolen document back to the malicious operator via email. The
email accounts used in this operation have been closed, he noted.
"I don't think all victims were
intentional targets," Bureau said. "This is probably more of a
shotgun approach where the malware operator will try to gather as much
information as possible by infecting as many systems as possible."