LAST-MINUTE PAPER: ACAD/Medre: industrial espionage in Latin America?
Robert Lipovsky ESET
Sebastian Bortnik ESET
The malware news today full of new, targeted, high-tech, military grade malicious code such as Stuxnet, Duqu and
Flamer, all of which have grabbed headlines. A few months ago, researchers at ESET Security Research Lab noticed a
significant spike in the detection rates of a piece of malware occurring in a specific Latin American country. It is quite
uncommon to find this kind of propagation pattern, since most of the time the detection rates have similarities across
many countries. In addition, it was a very peculiar detection: ACAD/Medre, a signature created for a piece of malware
related to the popular design software AutoCAD.
Based on this information, we have analysed the sample and identified an industrial espionage attack developed for stealing
designs, maps and blueprints; and which apparently spreads to steal information from Peruvian institutions and companies.
The worm, written in AutoLISP and Visual Basic Scripting language, employs functionality that leads to every AutoCAD file
that is opened on an infected machine landing in the attackers' mailbox (in different Chinese email accounts). Furthermore,
the fact that it has spread almost exclusively in Latin America makes this targeted attack the first advanced targeted
threat of this magnitude reported in the region.
The investigation of the attacks revealed that more than 10,000 AutoCAD drawings were leaked over the period of the last
This paper presents the results of our research and documents the case study from the beginning to the end: its discovery,
why it was noticed, how it was analysed, the key features of the code and the overall design of the attack.
del.icio.us digg this