Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:55 PM

AutoCAD Worm Targets Design Documents In Possible Espionage Campaign

A worm is stealing AutoCAD documents and sending them to email accounts opened at two Chinese Internet providers

A malware campaign targeting AutoCAD drawings uncovered by security researchers at ESET could be a massive case of industrial espionage.

AutoCAD is software for computer-aided design and drafting in both two-dimensional and three-dimensional formats. The campaign appears to be primarily targeting Peru and has reached at least 10,000 machines -- a relatively large number given the nature of the malware.

"I don't think all victims were intentional targets," says ESET malware researcher Pierre-Marc Bureau. "This is probably more of a shotgun approach where the malware operator will try to gather as much information as possible by infecting as many systems as possible."

A small number of infections of the worm, which ESET calls ACAD/Medre.A, have appeared in other countries, but, except for China, they are all nations that are either near Peru or have a large Spanish-speaking population. Using ESET's LiveGrid early warning system, researchers were able to uncover detections at specific URLs that make it clear a specific website supplied the AutoCAD template infected with ACAD/Medre.A that appears to be causing the localized spike in infections, explains Righard Zwienenberg, ESET Senior Research Fellow.

The infection occurs when a victim opens an AutoCAD document with the malicious LISP code. Once the code is started, it will create copies of itself in multiple locations to spread to other systems.

"If it is assumed that companies which want to do business with the entity have to use this template, it seems logical that the malware mainly shows up in Peru and neighboring countries," Zwienenberg blogged. "The same is true for larger companies with affiliated offices outside this area that have been asked to assist or to verify the -- by then -- infected project ... The sample is able to infect versions 14.0 to 19.2 of AutoCAD by modifying the corresponding native startup file of AutoLISP (acad.lsp) by being named as the auto-load file acad.fas. It employs Visual Basic Scripts that are executed using the Wscript.exe interpreter that is integrated in the Windows operating system since Windows 2000."

"The author assumes that his code will even work for future versions of AutoCAD as it has support for the AutoCAD versions that will be released in 2013, 2014, and 2015," he added.

After some configuration, ACAD/Medre.A will send the different AutoCAD drawings that are opened by e-mail to a recipient with an e-mail account at Chinese Internet provider 163.com. It will try to do this using 22 other accounts at 163.com and 21 accounts at qq.com, another Chinese Internet provider.

"Remarkably, this is done by accessing smtp.163.com and smtp.qq.com with the different account credentials," the research fellow stated. "It is ill advised to have Port 25 outgoing allowed other than to your own ISP. Obviously the Internet Providers in Peru do allow this. Also it is reasonable to assume that the companies that are a victim of this suspected industrial espionage malware do not have their firewalls configured to block Port 25 either."

According to Bureau, there is no command-and-control server involved in this operation. The malware simply reports every stolen document back to the malicious operator via email. The email accounts used in this operation have been closed, he notes.

"We do not have enough evidence to say which industry was being targeted," Bureau says. "AutoCAD can be used to create all kinds of design documents. The impact of the thefts of such documents can be big. For example, imagine your company has prepared the blueprints for a skyscraper, [and then someone] steals this works and bids on the same contract with a lower price. Potential losses can be huge."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-06
An SSRF issue in Open Distro for Elasticsearch (ODFE) before allows an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Alerting plugin's intended scope.
PUBLISHED: 2021-05-06
Arbitrary File Deletion vulnerability in puppyCMS v5.1 allows remote malicious attackers to delete the file/folder via /admin/functions.php.
PUBLISHED: 2021-05-06
Rmote Code Execution (RCE) vulnerability in puppyCMS v5.1 due to insecure permissions, which could let a remote malicious user getshell via /admin/functions.php.
PUBLISHED: 2021-05-06
An issue exists on NightOwl WDB-20-V2 WDB-20-V2_20190314 devices that allows an unauthenticated user to gain access to snapshots and video streams from the doorbell. The binary app offers a web server on port 80 that allows an unauthenticated user to take a snapshot from the doorbell camera via the ...
PUBLISHED: 2021-05-06
An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a syst...