Researchers from ESET's found yet another malicious program that was created for industrial espionage. "Another one," because the notorious Duqu and Flame also showed a particular interest in the files AutoCAD.
The new malware, dubbed ACAD / Medre.A, discovered a large number of computers in Peru. The virus infects the program 3D-modeling of AutoCAD versions from 14.0 to 19.2, change the boot file AutoLISP (acad.lsp) and running through the scripts that are executed by the interpreter Wscript.exe, integrated into the operating system Windows. On infected machines the worm searches for files to AutoCAD, and sends them to the 43 e-mail addresses listed on the website 163.com and qq.com. This popular sites in China, so you can make an assumption about the Chinese origin of the worm.The code of the virus has been blank for future versions of AutoCAD 2013, 2014 and 2015, so that the attackers were clearly far-reaching plans.
ACAD / Medre.A puts the booty into password-protected RAR-archives (password consists of a single character "1"), adds a configuration file. DXF, and then sends them individually by e-mail from the 25th port.
The virus is widespread. According to ESET, in the time of ACAD / Medre.A managed to send to the Chinese address tens of thousands of AutoCAD-files. At least, mailboxes 163.com and qq.com at the time of the study were full of incoming correspondence.
ACAD / Medre written in a dialect of Lisp, which is used in the projects of AutoCAD. Actually the use of non-standard programming language and is not typical behavior resulted in a very low rate of detection of this threat so far. And yet ACAD / Medre collects information on the drawings in AutoCAD format and tries to send them to hackers.
Another interesting way to spread the virus, he was placed in the AutoCAD template on one of the local authority sites (more details will be published later). Victims were forced to somehow download this template. Apparently, this was my targeted attack on any particular company from Peru for the purpose of industrial espionage.
More information about ACAD / Medre and interaction in the investigation of CVERC (Chinese National Computer Virus Emergency Response Center), read in the analytical publications:
ACAD / Medre.A - 10 000's of AutoCAD files leaked in suspected industrial espionageACAD / Medre.A Technical AnalysisACAD / Medre.A report (pdf)
Source
0 comments:
Post a Comment