Report: Espionage malware sends data to China
ESET Security researchers have discovered an espionage worm, believed to have originated from China, that targets and steals files running AutoCAD software.
According to the security vendor in a blog post Thursday, "tens of thousands" of AutoCAD blueprints had been leaked by the malware, called ACAD/Medre.A, which steals files and sends them to e-mail accounts located in China. This led the security vendor to conclude the malware was likely designed for industrial espionage.
ESET added it was working with Chinese Internet service provider (ISP), Tencent, the Chinese National Computer Virus Emergency Response Center, and Autodesk, the creator of AutoCAD, to stop the harvesting of blueprints by blocking e-mail accounts associated with the stolen data.
The malware infects AutoCAD by modifying native startup files and employing Visual Basic Scripts executed using the Wscript.exe interpreter integrated in Windows operating system, Righard Zwienenberg, senior research fellow at ESET, explained in the blog post. After some configuration, the malware opens AutoCAD blueprints through e-mail to a recipient with an e-mail account at Chinese Internet provide 163.com, and will do the same using 22 other accounts on 163.com and 21 accounts at qq.com, Zwienenberg added.
"ACAD/Medre.A represents a serious example of industrial espionage," he said. "Every new design is sent automatically to the operator of this malware. Needless to say, this can cost the legitimate owner of the intellectual property a lot of money as the cybercriminals have access to the designs even before they go into production."
Business users in Peru were main victims of the attack, though the malware also surfaced in other parts of South America, ESET noted. A high number of infections was observed in the country where the malware had disguised itself as AutoCAD files and distributed to companies conducting business within Peru's public sector, noted the security company. As such, organizations in Peru might have been the primary target of ACAD/Medre.A operators, it added.