Spyware targets AutoCAD files
Anti-virus firm ESET has discovered a trojan that sends AutoCAD technical drawings to an email address in China. So far the AutoCAD spyware appears to have been quite successful: the security researchers' analysis of the email accounts used by the malware determined that tens of thousands of drawings had been acquired. Its likely that the trojan is being used for industrial espionage.
According to the report, the "ACAD/Medre.A" malware sends any opened AutoCAD files (.dwg) to an email address registered with Chinese provider 163.com in a password-protected ZIP file. If the system has Microsoft Outlook installed, the spyware also includes the program's PST file, which contains all files that are stored in Outlook.
The attackers used a total of 43 email accounts with 163.com and another Chinese provider, qq.com. The spyware directly communicated with the outgoing mail servers via SMTP; all of the login credentials for these accounts were stored in the script itself. ESET said that it has cooperated with the email providers to close down the accounts.
The spyware was developed in AutoCAD's custom AutoLISP scripting language and also uses Visual Basic scripts that are executed via the Wscript.exe interpreter built into Windows. The malware is activated when victims open a specially crafted AutoCAD file, and is thought to be capable of infecting other AutoCAD files.
According to ESET, the file was primarily deployed via a Peruvian web site, causing the malware to almost exclusively affect Peru and other countries in the Spanish-speaking world. The report contains a link to an ACAD/Medre.A removal tool; ESET says that the spyware is already detected by some AV programs.
Technical drawings were also among the targets of the Flame super spyware. Unlike the current malware sample, however, Flame was specifically developed to spy on targets in the Middle East and had numerous other tricks up its sleeve, for example, deployment via bogus Windows updates.