ESET first spotted what it calls the ACAD/Medre.A Worm some time ago – but just recently noticed an increase in activity in Peru. The worm steals AutoCAD drawings, and has been sending them by email to destinations in China. AutoCAD is traditionally used for blueprints and new product modeling; so this is mainstream intellectual property theft.
“There is, as far as we can tell, no link to Stuxnet/Duqu/Flame – military grade,” Righard Zwienenberg, a senior research fellow at ESET, told Infosecurity. “This is more industrial grade.”
ESET has worked with the AutoCAD developer Autodesk, the Chinese ISP Tencent, and the Chinese National Computer Virus Emergency Response Center to stop the leaks; but it confirms that tens of thousands of drawings were leaking at the time of its discovery. Tencent co-operated with ESET and blocked the accounts that were being used to relay the emails in order to prevent any further leakage.
Zwienenberg described the incident as “a serious case of industrial espionage. Every new design is sent automatically to the operator of this malware.” It means that cybercriminals can get hold of new designs even before they go into production, and could even “apply for patents on the product before the inventor has registered it at the patent office.”
Most of the infected systems appear to be in Peru. ESET suspects that the malware was distributed to companies doing business with Peruvian public services via infected AutoCAD templates. The company rapidly developed a free stand-alone cleaner for the malware, but sees the real solution in the international co-operation with China. “Reaching out to other parties to prevent further damage really works,” commented ESET chief research officer Juraj Malcho. Without the assistance of Autodesk, Tencent and the Chinese National Computer Virus Emergency Response Center, which all helped ESET in taking down the dropsites and delivery chains, “it would have been relatively easy only to clean already affected systems, but systems that would not be cleaned could have continued to be leaking their designs,” he added.
Zwienenberg is quick to stress that no significance should be attached to the Chinese destination for the stolen drawings. “The author of the malware could be anywhere in the world – it would be pure speculation to go into that.” Indeed, the somewhat unusual co-operation from the Chinese authorities also suggest that China may not be directly involved (although that too is speculation).
Zwienenberg does, however, suspect that the malware was specifically targeted at Peru. The worm uses “two different SMTP servers in China. Normally that should be blocked at an ISP level but in Peru that does not happen,” he said. “Seemingly knowing how the ISPs in Peru work, combined with the infected template on a popular public website in Peru makes it more like a targeted attack – although we can’t tell who that would be. It may also be a shotgun approach hoping that the blueprint the author is after is amongst the transmitted blueprints,” he told Infosecurity.