Robert Lipovsky ESET
Sebastian Bortnik ESET
download slides (PDF)
The malware news today full of new, targeted, high-tech, military grade malicious code such as Stuxnet, Duqu and Flamer, all of which have grabbed headlines. A few months ago, researchers at ESET Security Research Lab noticed a significant spike in the detection rates of a piece of malware occurring in a specific Latin American country. It is quite uncommon to find this kind of propagation pattern, since most of the time the detection rates have similarities across many countries. In addition, it was a very peculiar detection: ACAD/Medre, a signature created for a piece of malware related to the popular design software AutoCAD.
Based on this information, we have analysed the sample and identified an industrial espionage attack developed for stealing designs, maps and blueprints; and which apparently spreads to steal information from Peruvian institutions and companies.
The worm, written in AutoLISP and Visual Basic Scripting language, employs functionality that leads to every AutoCAD file that is opened on an infected machine landing in the attackers' mailbox (in different Chinese email accounts). Furthermore, the fact that it has spread almost exclusively in Latin America makes this targeted attack the first advanced targeted threat of this magnitude reported in the region.
The investigation of the attacks revealed that more than 10,000 AutoCAD drawings were leaked over the period of the last two years.
This paper presents the results of our research and documents the case study from the beginning to the end: its discovery, why it was noticed, how it was analysed, the key features of the code and the overall design of the attack.