Security researchers have come across a new worm that is meant specifically to steal blueprints, design documents and other files created with the AutoCAD software. The worm, known as ACAD/Medre.A, is spreading through infected AutoCAD templates and is sending tens of thousands of stolen documents to email addresses in China. However, experts say that the worm’s infection rates are dropping at this point and it doesn’t seem to be part of a targeted attack campaign.
The worm first hit researchers’ radar about six months ago, and when they began digging into the situation, they discovered that not only was the worm highly customized and well-constructed, it seemed to be targeting mostly machines in Peru for some reason. Researchers at Eset notcied a major spike in activity from the worm in Peru two months ago and started the process of figuring out what it was doing and where it came from. What they found is that ACAD/Medre.A was written in AutoLISP, a specialized version of the LISP scripting language that’s used in AutoCAD.
That was odd in and of itself, but as they looked into the attacks further, they discovered that the attackers were using specific URLs to spread the infected template to targets.
“If it is assumed that companies which want to do business with the entity have to use this template, it seems logical that the malware mainly shows up in Peru and neighboring countries. The same is true for larger companies with affiliated offices outside this area that have been asked to assist or to verify the – by then – infected project and then infecting their own environment,” Righard Zwienenberg of Eset wrote in an analysis of the worm’s activity.
When the worm is on a new machine, it will modify the startup file for AutoLISP and then goes through some configuration routines to get everything set. Then it’s on to the data-stealing bit.
“After some configuration, ACAD/Medre.A will begin sending the different AutoCAD drawings that are opened by e-mail to a recipient with an e-mail account at the Chinese 163.com internet provider. It will try to do this using 22 other accounts at 163.com and 21 accounts at qq.com, another Chinese internet provider. Remarkably, this is done by accessing smtp.163.com and smtp.qq.com with the different account credentials. It is ill advised to have port 25 outgoing allowed other than to your own ISP. Obviously the Internet Providers in Peru do allow this. Also it is reasonable to assume that the companies that are a victim of this suspected industrial espionage malware do not have their firewalls configured to block port 25 either,” Zwienenberg wrote.
Researchers at Kaspersky Lab said that the worm doesn’t seem to be going after any specific kind of company or to be part of a targeted attack campaign. Some of the samples sent to Kaspersky came from companies that don’t use AutoCAD software.
“I don’t think it’s an APT. It’s kind of an uncontrolled attack,” said Dimitry Bestuzhev, head of the Global Research and Analysis Team for Kaspersky in Latin America. “It’s hard to say who the target is, and it doesn’t seem to be government sponsored.”
Interestingly, although the worm is written in AutoLISP, most of the functions in the ACAD/Madre.A worm are done through the use of VisualBasic scripts. There are separate scripts for a number of different actions, including the function that sends the stolen files to the attacker. Eset researchers found that although the huge proportion of infections are in Peru, there also are some in China, as well as in Ecuador and other countries in South America.
“When it’s a targeted attack, they try to limit the propagation to machines they care about, and that’s not the case with this,” Bestuzhev said.