New industrial espionage campaign leverages AutoCAD-based malware

Researchers warn about industrial espionage group targeting companies in the energy sector with AutoCAD-based malware.

Security researchers have spotted a somewhat unique malware distribution campaign that targets companies using AutoCAD-based malware.

Discovered by cyber-security firm Forcepoint, which shared its findings with ZDNet yesterday, the campaign appears to have been active since 2014, based on telemetry data the company has analyzed.

Forcepoint says the group behind this recent campaign is most likely very sophisticated and primarily interested in industrial espionage, due too its focus on using a niche infection vector like AutoCAD, a very expensive piece of software, utilized mainly by engineers and designers.

    Also: Atlanta ransomware attack hit 'mission critical' systems CNET

    "The actors have successfully targeted multiple companies across multiple geolocations with at least one campaign likely having been focused on the energy sector," Forcepoint experts wrote in a report they plan to publish later today.

    Researchers said the hacker group used spear-phishing emails that contained either archives of malicious AutoCAD files or links to websites from where victims could download the ZIP files themselves, in case the "lure" files needed to be larger than standard email servers' file attachment limits.

    Forcepoint said this spear-phishing campaign used "already-stolen design documents for major projects such as hotels, factory buildings, and even the Hong Kong-Zhuhai-Macau bridge as 'lures' to propagate further."

    autocad-malware-lure.png
    Example of a project render from a lure package (Image: Forcepoint)

    Hackers leveraged AutoCAD's scripting feature

    The company said that victims usually get infected because the ZIP files with AutoCAD (.cad) projects they receive also contain hidden Fast-Load AutoLISP (.fas) modules.

    These .fas modules are the equivalent of scripting components for the AutoCAD design software, akin to how macros are for Word files. The difference is that FAS modules use the Lisp programming language for its script, instead of VisualBasic or PowerShell, the preferred scripting component used with macros.

    Based on the victim's AutoCAD installation settings, the AutoCAD app will either automatically execute these .fas scripting modules when the user opens the main .cad project, or when the user opens any .cad project.

    Recent versions of the AutoCAD software (versions released after 2014) show warnings when executing a .fas module, but just like with the macro warnings in Office apps, some usually tend to plow through all the security alerts without thinking of the consequences and to open and view the main file's content as soon as possible.

    Ongoing campaign still under analysis

    "We have tracked and analysed a large number (over 200 data sets and about 40 unique malicious modules) of 'acad.fas' versions in the past few months, from what looks like an extended campaign based around a small downloader component," Forcepoint said.

    Currently, it's unclear how the rest of the operation plays out. Researchers say that the malicious "acad.fas" modules they've observed would attempt to connect to a remote command-and-control (C&C) server to download other malware, but they haven't been able to determine what this subsequent malware was.

    "It is unclear whether this was a result of additional server-side checks in place to facilitate the targeting of specific victims or if it is merely an artefact of the campaign currently being 'inactive'," researchers said.

    Also: Banking trojans, not ransomware, are the biggest threat now TechRepublic

    They did say that the group behind this campaign appears to be an avid user of AutoCAD-based malware, as the C&C server's IP address was previously used in older AutoCAD malware campaigns.

    In addition, researchers said the C&C server appeared to be running a Chinese-language installation of Microsoft Internet Information Server 6.0, and that a neighboring IP address was hosting a similar service, most likely part of a larger attack infrastructure.

    Users can protect themselves

    Forcepoint recommends that all AutoCAD users take a look over Autodesk's AutoCAD security recommendations page for tips on safely configuring AutoCAD to protect against malicious modules.

    The page includes steps on limiting AutoCAD's ability to execute FAS and other scripting modules, but also other advice such as how to recover and clean an AutoCAD installation after attacks with malicious code.

    Furthermore, Forcepoint also warns that the hacker group might also resort to sending some of their malware via postal packages with CD/DVD or USB drives containing the malicious AutoCAD files.

    While some might view this as odd or unrealistic, this is actually a pretty common practice among many design and engineering firms nowadays, mainly because some AutoCAD files --used for storing rendering of parts or building structures-- can easily reach more than 1GB in size, and many companies fear exposing proprietary designs online, and instead rely on courrier services to exchange some of their files.

    This is also not the first time that cyber-criminals have used AutoCAD-based malware to infect companies. Previous campaigns have been documented in 2009 and 2012, respectively.

    Related stories: