Recently, the SOC system of CyRadar has discovered a sophisticated attack campaign using AutoCAD-malware targeting businesses. AutoCAD is the most popular design software in the field of design today. Therefore, the AutoCAD-malware malicious code appears to steal important data on users’ computers.

This campaign was discovered by Forcepoint security researchers in November 2018, and Forcepoint said that the group behind the recent campaign was highly sophisticated and mainly concerned with industrial espionage because they only infect through AutoCAD software, a very expensive software, used by engineers and designers.

To spread the malicious code, hackers used phishing emails containing malicious AutoCAD files or ZIP file download links if the AutoCAD file size was too large. When the computer is infected, the malicious code will automatically replicate to the directory of any project opened on the computer, which will contribute to the infection of the malicious code if the infected project is opened on another computer.

Hackers take advantage of AutoCAD’s script

Infected projects all appear AutoLISP (.fas) files with hidden attributes to cover the user’s eyes. These .fas files are equivalent to the scripts used in AutoCAD design software, the same way that macros work on Word text editors. The difference is that FAS uses Lisp’s native language for its script, instead of using VisualBasic (VBScript) for macros in Word.

In the default settings of AutoCAD, the software will automatically execute malicious .fas files when users open any infected projects.

In AutoCAD versions (released after 2014) it will display warnings when executing .fas files, like macro warnings in Word text editors. Most users often ignore warnings without concerning or understanding the warning content hence unsafe system.

The campaign is still on

Currently, the SOC system of CyRadar is still discovering some AutoCAD malicious code attacks in businesses. Malware was discovered under the name “acad.fas”, they have a lot of different hash codes, but through the analysis process, they have a common task to connect to the control server to download other malware.

AutoCAD malicious code after decompile.

However, at the time of analysis, the control server does not return any data, so it is unclear what the next behavior of the campaign is, maybe the hacker wants to target a specific victim?

According to Forcepoint’s analysis report, the groups that distribute AutoCAD malware at different times are all because the server control address is the same as the previous AutoCAD infection versions.

In addition, they said that all domain names of the control server were resolved with the same IP address and installed in Chinese of Microsoft Internet Information Server 6.0. In particular, they discovered that a nearby IP address is hosting similar services, most likely part of a larger attack.

Users may protect yourself

  • Autodesk has come up with a safe configuration setting in security recommendations to minimize the impact and infection of this malicious code, which users can apply.
  • Check and scan AutoCAD files with reputable antivirus software before opening them on your device.

This is not the first time hackers use AutoCAD-based malware to infect companies. Previous campaigns have been recorded in 2009 and 2012. This shows the need for solutions to detect and prevent cyber attacks because malicious code not only expands but also evolves and returns to attack users at any time.

Ha Truong – CyRadar

Related posts: