Mercenary hacker group targets companies with 3Ds Max malware

Hacker-for-hire group uses a malicious 3Ds Max plugin to infect companies with malware and steal proprietary information.
Written by Catalin Cimpanu, Contributor

Security firm Bitdefender said it discovered what appears to be a new hacker group that is currently targeting companies across the globe with malware hidden inside malicious 3Ds Max plugins.

3Ds Max is a 3D computer graphics application developed by software giant Autodesk and is an app commonly installed and used by engineering, architecture, gaming, or software companies.

Earlier this month, on Aug. 10, Autodesk published a security alert about a malicious plugin named "PhysXPluginMfx" that abused MAXScript, a scripting utility that ships with the 3Ds Max software.

The security advisory warned users that, if loaded inside 3Ds Max, the PhysXPluginMfx plugin would run malicious MAXScript operations to corrupt 3Ds Max settings, run malicious code, and propagate and infect other MAX files (*.max) on a Windows system, and help the malware spread to other users who received and opened the files.

Bitdefender, which took a closer look at this exploit in a report published today, said the purpose of this plugin was, in reality, to deploy a backdoor trojan that hackers could use to scour infected computers for sensitive files and later steal important documents.

Image: Bitdefender

The Romanian cybersecurity firm also said it investigated and was able to confirm attacks against at least one target, an international architectural and video production company, currently engaged in architectural projects with billion-dollar luxury real-estate developers across four continents.

Information gathered during this investigation revealed that hackers used a malware command and control (C&C) server that was located in South Korea.

"When looking at our own telemetry, we found other samples that communicated with the same C&C server, which means that the group was not limited to only developing samples for the victim that we investigated," Liviu Arsene, Bitdefender Senior E-Threat Analyst, told ZDNet in an email.

Per Bitdefender, these additional malware samples initiated connections to the C&C server from countries such as South Korea, United States, Japan, and South Africa, suggesting that the hacker group might have also made other unconfirmed victims in these countries as well.

These connections go back for at least one month, but as Arsene told ZDNet, this doesn't mean the hacker group started operating one month ago, and hackers could have very easily used another server for older operations.

"If the sophistication of this investigated attack is any indication, they seem to have a firm grasp of what they're doing and could have been flying under the radar of security specialists for some time," Arsene said.

While details about the group's entire operations and hacking spree are still shrouded in mystery, Bitdefender researchers appear to believe that this group is yet another example of a sophisticated hacker-for-hire mercenary group that is renting its services to various actors, for the purpose of industrial espionage.

While the Bitdefender report doesn't contain the information to support this assessment, if true, this would make this group the third hacker-for-hire group exposed this year after Dark Basin (Indian company BellTrox; targeted politicians, investors, and non-profits) and DeathStalker (previously named Deceptikons; targeted European law firms).

The Bitdefender report is also the second report where hackers created malware for an Autodesk software program. In November 2018, security firm Forcepoint discovered an industrial espionage hacker group that targeted companies in the energy sector with AutoCAD-based malware. Arsene said Bitdefender was not able to find any evidence linking these two hacking campaigns/groups.

The FBI's most wanted cybercriminals

Editorial standards