14 DAY TRIAL // A worm written in AutoLISP, identified as ACAD/Medre.A, has caught the attention of ESET researchers after it attempted to steal tens of thousands of AutoCAD files from companies in Peru and a few neighboring countries.
Experts believe that most of the impacted machines are in Peru because the infection may have started from a local website that hosted an AutoCAD template which masqueraded the malware.
“If it is assumed that companies which want to do business with the entity have to use this template, it seems logical that the malware mainly shows up in Peru and neighboring countries,” Righard Zwienenberg, senior research fellow at ESET explained.
“The same is true for larger companies with affiliated offices outside this area that have been asked to assist or to verify the – by then – infected project and then infecting their own environment.”
After analyzing the threat, the researchers have found that it infects AutoCAD versions from 14.0 to 19.2 by modifying the startup file and naming itself acad.fas, the auto-load file.
Once it finds itself on a computer, ACAD/Medre.A will send all the AutoCAD files that are opened to email accounts registered at the Chinese ISPs that own the 163.com and qq.com domains.
The drawings, the associated acad.fas and the .dfx files were also gathered, archived and sent back to the attackers.
Apparently, this campaign was so successful that the email accounts used by the cybercriminals contained around 100,000 emails and another 5,000 were waiting to be sent.
Fortunately, ESET has been able to collaborate with both Trecent - the owner of the qq.com domain -, Autodesk, and the Chinese National Computer Virus Emergency Response Center (CVERC), so they not only managed to block the accounts used by the attackers and remove them along with all the leaked drawings, but they also alerted the impacted users.
To prevent further such incidents of industrial espionage, the security firm has made available a free stand-alone tool designed to clean ACAD/Medre.A infections. The cleaner is available here.