LAST-MINUTE PAPER: ACAD/Medre: industrial espionage in Latin America?

Robert Lipovsky ESET
Sebastian Bortnik ESET

  download slides (PDF)

The malware news today full of new, targeted, high-tech, military grade malicious code such as Stuxnet, Duqu and Flamer, all of which have grabbed headlines. A few months ago, researchers at ESET Security Research Lab noticed a significant spike in the detection rates of a piece of malware occurring in a specific Latin American country. It is quite uncommon to find this kind of propagation pattern, since most of the time the detection rates have similarities across many countries. In addition, it was a very peculiar detection: ACAD/Medre, a signature created for a piece of malware related to the popular design software AutoCAD.

Based on this information, we have analysed the sample and identified an industrial espionage attack developed for stealing designs, maps and blueprints; and which apparently spreads to steal information from Peruvian institutions and companies.

The worm, written in AutoLISP and Visual Basic Scripting language, employs functionality that leads to every AutoCAD file that is opened on an infected machine landing in the attackers' mailbox (in different Chinese email accounts). Furthermore, the fact that it has spread almost exclusively in Latin America makes this targeted attack the first advanced targeted threat of this magnitude reported in the region.

The investigation of the attacks revealed that more than 10,000 AutoCAD drawings were leaked over the period of the last two years.

This paper presents the results of our research and documents the case study from the beginning to the end: its discovery, why it was noticed, how it was analysed, the key features of the code and the overall design of the attack.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.