A virus specialized for AutoCAD, a perfect cyber espionage tool

In recent years we are assisting to a profoundly change in the nature of malware, it is increased the development for spy purposes, for its spread in both private and government sectors.

The recent case of Flame malware has demonstrated the efficiency of a malicious agent as a gathering tool in a typical context of state-sponsored attack for cyber espionage.

Event like this represent the tip of the iceberg, every day millions of malware instances infect pc in every place in the world causing serious damages related to the leak of sensible information.

Specific viruses are developed to address particular sectors and information, that is the case for example of “ACAD/Medre.A”, a malware specialized in the theft of AutoCAD files. The virus has been developed to steal blueprints from private companies mostly based in Peru according the expert of the security firm ESET.

The virus is able to locate AutoCAD file on infected machines and to send them via e-mail to accounts provided by two Chinese internet firms, 163.com and qq.com.

The malware detected is written in AutoLISP, an AutoCAD scripting language, ACAD/Medre for the shipment of stolen data creates a password protected RAR-file containing the blueprints and the requisite “acad.fas” file and a “.dxf” file and send it separately by e-mail. The .DXF file generated by ACAD/Medre contains a set of information that the recipient uses to the collecting of stolen files.

The password used for the RAR file is just one character  equals to “1”.

Once discovered the email accounts used to transfer the stolen data the group of researcher noticed that the InBox for each of them was full, they turned out all saturated by over 100,000 mails giving an idea of the dimension of the attack.

The virus has been detected several months ago but only in the last weeks it has been observed an explosion of the number of infected systems.

The researcher Righard Zwienenberg researcher of ESET declared

“[It] represents a serious case of industrial espionage,”

“Every new design is sent automatically to the operator of this malware. Needless to say this can cost the legitimate owner of the intellectual property a lot of money as the cybercriminals have access to the designs even before they go into production.”

“They may even have the guts to apply for patents on the product before the inventor has registered it at the patent office.”

The malware not limits its action to steal Autocad projects, it also checks the presence of Outlook email client to steal the pst file containing contacts, calendar and emails, confirming its genesis of espionage tool.

For completeness of information ESET provided a free stand-alone cleaner available for the ACAD/Medre.A worm.

Every time we speak about of cyber espionage we could not think other that China, however the practice is really diffused and the fact that the accounts are related to Chinese accounts is clue but not a certainty.

It’s clear that Chinese hackers are considered worldwide specialist in cyber espionage, the case of Nortel is considered a case study for the impact of cyber espionage on the business of private companies.

The Chinese government, and not only, at least a decade sponsored espionage activities for stealing trade secrets, confidential information and intellectual property of various kinds. Many experts are convinced that thanks to their ability to spy they were able, through the theft and reverse engineering of products, to clear the technological gap with the western industry.

This time the Chinese authorities have demonstrated a collaborative approach identifying and blocking the accounts used for theft.  Tens of thousands of AutoCAD blueprints leaked, the team of ESET experts promptly contacted the Chinese authorities such us Tencent company, owners of the qq.com domain,  and also the Chinese National Computer Virus Emergency Response Center,  their collaboration was essential to access to the account blocking them.

Another lesson learnt is an efficient fight to the cybercrime must be conducted with a total collaboration of all the involved actors. Only in this way it’s possible to conduct an efficient immunization.

Pierluigi Paganini