LAST-MINUTE PAPER: ACAD/Medre: industrial espionage in Latin America?

Robert Lipovsky ESET
Sebastian Bortnik ESET

The malware news today full of new, targeted, high-tech, military grade malicious code such as Stuxnet, Duqu and Flamer, all of which have grabbed headlines. A few months ago, researchers at ESET Security Research Lab noticed a significant spike in the detection rates of a piece of malware occurring in a specific Latin American country. It is quite uncommon to find this kind of propagation pattern, since most of the time the detection rates have similarities across many countries. In addition, it was a very peculiar detection: ACAD/Medre, a signature created for a piece of malware related to the popular design software AutoCAD.

Based on this information, we have analysed the sample and identified an industrial espionage attack developed for stealing designs, maps and blueprints; and which apparently spreads to steal information from Peruvian institutions and companies.

The worm, written in AutoLISP and Visual Basic Scripting language, employs functionality that leads to every AutoCAD file that is opened on an infected machine landing in the attackers' mailbox (in different Chinese email accounts). Furthermore, the fact that it has spread almost exclusively in Latin America makes this targeted attack the first advanced targeted threat of this magnitude reported in the region.

The investigation of the attacks revealed that more than 10,000 AutoCAD drawings were leaked over the period of the last two years.

This paper presents the results of our research and documents the case study from the beginning to the end: its discovery, why it was noticed, how it was analysed, the key features of the code and the overall design of the attack.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments

SMI Oil and Gas Cyber Security 2014

Virus Bulletin
In this month's magazine:
  • VBSpam comparative review March 2014
  • VB100 comparative review on Ubuntu Server 12.04LTS
  • The shape of things to come
  • Threat intelligence sharing: tying one hand behind our backs
  • The curse of Necurs, part 1
  • More fast or more dirty?
  • Tofsee botnet
  • Back to VBA
  • Is the security industry up to the new challenges to come?
  • Greetz from academe: No place to Hyde
Virus Bulletin 04 2014
Subscribe now!

Virus Bulletin currently has 231,350 registered users.