Hackers for hire group target organizations via 3ds Max exploit

Experts discovered a new hacker hacker-for-hire group that is targeting organizations worldwide with malware hidden inside malicious 3Ds Max plugins.

Security researchers from Bitdefender discovered a new hacker group that is currently targeting companies across the world with malware hidden inside malicious 3Ds Max plugins.

Autodesk 3ds Max, formerly 3D Studio and 3D Studio Max, is a professional 3D computer graphics program for making 3D animations, models, games and images. It is developed and produced by Autodesk Media and Entertainment.[2] It has modeling capabilities and a flexible plugin architecture and must be used on the Microsoft Windows platform. I

3Ds Max is used by engineering, architecture, gaming, or software organizations.

In early August, Autodesk published a security alert warning about a malicious plugin named “PhysXPluginMfx,” it is a variant of the MAXScript exploit.

“A variant of a MAXScript exploit “PhysXPluginMfx” has been identified and a free plugin is now available in the Autodesk App Store to detect and remove the malicious code.” reads the security alert.

Upon loading the malicious plugin inside 3Ds Max, PhysXPluginMfx would execute malicious MAXScript operations to corrupt 3Ds Max settings, run malicious code, and even propagate to other MAX files.

According to Bitdefender, the plugin was designed to deploy a backdoor trojan that could be used to steal sensitive files from the infected systems.

Bitdefender researchers investigated at least one attack against an international architectural and video production company that has been collaborating in billion-dollar real estate projects in New York, London, Australia, and Oman.

“During the investigation, Bitdefender researchers found that threat actors had an entire toolset featuring powerful spying capabilities and made use of a previously unknown vulnerability in a popular software widely used in 3D computer graphics (Autodesk 3ds Max) to compromise the target.” reads the post published by BitDefender.

“Industrial espionage is nothing new, and, since the real estate industry is highly competitive, with contracts valued at billions of dollars, the stakes are high for winning contracts for luxury projects. This could justify turning to mercenary APT groups for gaining a negotiation advantage.”

The threat actor used a malware command and control (C&C) server that was located in South Korea.

“Looking through the telemetry of the C&C, we noticed that there are reports, which include some of the discovered .net assembly internal names found initially on the victims’ machine or downloaded from the C&C.” continues the report. “After analysis, we have managed to gather more tools, based on direct usage or based on common portions of code. Beside this, we have also noticed that all of them share the C&C address from the victim (address + port).”

Some of the samples analyzed by Bitdefender connected to the C&C server from countries South Korea, United States, Japan, and South Africa, a circumstance that suggests the hackers might have also targeted businesses in these countries.

The attackers also use malware to collect details about the compromised host and steal files with specific extensions.

According to the researchers, the attackers compile file-stealing component for each victim to include the list of files they want to steal.

To avoid detection, the malicious binary remains dormant if Task Manager or Performance Monitor were running.

The report includes a lot of technical details about the operation of the group. This year, security firm spotted other hacker-for-hire groups, including Dark Basin and DeathStalker.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, 3ds Max)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

New AT&T data breach exposed call logs of almost all customers

AT&T disclosed a new data breach that exposed phone call and text message records for…

20 hours ago

Critical flaw in Exim MTA could allow to deliver malware to users’ inboxes

A critical vulnerability in Exim mail server allows attackers to deliver malicious executable attachments to…

23 hours ago

Palo Alto Networks fixed a critical bug in the Expedition tool

Palo Alto Networks addressed five vulnerabilities impacting its products, including a critical authentication bypass issue. Palo…

1 day ago

Smishing Triad Is Targeting India To Steal Personal and Payment Data at Scale

Resecurity has identified a new campaign by the Smishing Triad that is targeting India to…

1 day ago

October ransomware attack on Dallas County impacted over 200,000 people

The ransomware attack that hit Dallas County in October 2023 has impacted more than 200,000…

2 days ago

CrystalRay operations have scaled 10x to over 1,500 victims

A threat actor known as CrystalRay targeted 1,500 victims since February using tools like SSH-Snake…

2 days ago

This website uses cookies.