AutoCAD Malware Used in Espionage Campaign

Malware leveraging AutoCAD is not a new phenomenon, however, while not new it is rare when compared to other malware infections. Researchers at Forcepoint have discovered a unique AutoCAD malware strain been used in a cyber-espionage group. For those who have never come across AutoCAD, the CAD stands for Computer Assisted Design and has played a vital role in the past decades building our technology-driven society, helping structures and engineering reach new levels of complexity. Designing a building such as the Burj Khalifa by hand would be difficult if not impossible hence AutoCAD has come to be a crucial piece of software for engineering firms across the globe.

According to the report published by the firm the campaign appears to have been active since 2014, based on telemetry data the company has analyzed. Further Forcepoint believes the group behind this recent campaign is most likely very sophisticated and primarily interested in industrial espionage, due to its focus on using a niche infection vector like AutoCAD, a very expensive piece of software, utilized mainly by engineers and designers.

In order to distribute the malware researchers discovered a spear phishing email campaign was the main distribution vector. The emails contained either an archive of malicious AutoCAD files or links to websites from where victims could download the ZIP files themselves. The downloadable ZIP files even the files size were made to be larger than the limits set by email servers to further legitimize the look of the campaign.

autocad malware espionage campaign

The campaign successfully targeted multiple companies across multiple sectors and locations with at least one campaign likely having been focused on companies within the energy sector. Forcepoint also discovered that the campaign was making use of already stolen design documents for major projects such as hotels, factory buildings, and even the Hong Kong-Zhuhai-Macau Bridge to further act as a lure.

AutoCAD’s Scripting Feature Abused

Based on Forcepoint’s analysis the corrupted ZIP files contained hidden Fast-Load AutoLISP (.fas) modules. These .fas modules are the equivalent of scripting components for the AutoCAD design software, akin to how macros are for Word files. The difference is that .fas modules use the Lisp programming language for its script, instead of VisualBasic or PowerShell, the preferred scripting component used with macros. Based on the victim's AutoCAD installation settings, the AutoCAD app will either automatically execute these .fas scripting modules when the user opens the main .cad project, or when the user opens any .cad project. Recent versions of the AutoCAD software, those versions released after 2014, show warnings when executing a .fas module, but just like with the macro warnings in Office apps, some usually tend to simply click through all the security alerts without thinking of the consequences and to open and view the main file's content as soon as possible.

Researchers were quick to point out that they were unclear how the rest of the campaign played out and stated that investigations had not yet concluded. What could be concluded safely was that from over 200 data sets and about 40 unique malicious modules what has been called “acad.fas” the campaign is one of an extended nature based around a small downloader component. Researchers say that the malicious “acad.fas” modules they've observed would attempt to connect to a remote command-and-control server to download other malware, but they haven't been able to determine what this subsequent malware was. It also appears that the group behind the campaign appears to be experienced users of AutoCAD-based malware, as the command and control server's IP address was previously used in older AutoCAD malware campaigns. The last clue as to the identity of the attackers the researchers found was that the command and control server appeared to be running a Chinese-language installation of Microsoft Internet Information Server 6.0 and that a neighboring IP address was hosting a similar service, most likely part of a larger attack infrastructure.

How to Better Protect Your Firm

Even though the investigation is ongoing Forcepoint has recommended some measures to assist users in protecting themselves. One of the recommendations involves users of AutoCAD looking over Autodesk's AutoCAD security recommendations page for tips on safely configuring AutoCAD to protect against malicious modules. This page includes steps that can be taken to limiting AutoCAD's ability to execute FAS and other scripting modules. Another piece of handy information covered on the page includes measures on how to recover and clean an AutoCAD installation after attacks with malicious code.

As was mentioned earlier this is not a new method of attack. Previously similar styled attacks occurred in 2009 and 2012. In the 2009 attack, researchers at Sophos Labs discovered AutoCAD malware. This was unexpected as the researcher in charge had only previously seen another example of such malware in 2007. In the second past instance researchers at ESET published a whitepaper detailing the malware named ACAD/Medre.A. Researchers discovered that the worm was capable of stealing AutoCAD drawings and sending them to email accounts located in China. After lengthy investigations with the help of Autodesk and Chinese ISP Tencent, the security firm concluded that,

“ACAD/Medre.A is a serious example of suspected industrial espionage. Every new design created by a victim is sent automatically to the authors of this malware. Needless to say, this can cost the legitimate owner of the intellectual property a lot of money as the cybercriminals will have designs before they even go into production by the original designer. The attacker may even go so far as to get patents on the product before the inventor has registered it at the patent office. The inventor may not know of the security breach until his patent claim is denied due to prior art.”

It will be interesting to see if Forcepoint’s analysis concludes on a similar note.

Malware activity

Global virus and spyware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal