It’s one thing for APT groups to conduct cyber espionage to meet their own financial objectives. But it’s an entirely different matter when they are used as “hackers for hire” by competing private companies to make away with confidential information.
Bitdefender’s Cyber Threat Intelligence Lab discovered yet another instance of an espionage attack targeting an unnamed international architectural and video production company that had all the hallmarks of a carefully orchestrated campaign.
“The cybercriminal group infiltrated the company using a tainted and specially crafted plugin for Autodesk 3ds Max,” Bitdefender researchers said in a report released today.
“The investigation also found that the Command and Control infrastructure used by the cybercriminal group to test their malicious payload against the organization’s security solution, is located in South Korea.”
Although there have been previous instances of APT mercenary groups such as Dark Basin and Deceptikons (aka DeathStalker) targeting the financial and legal sector, this is the first time a threat actor has employed the same modus operandi to the real-estate industry.
Last month, a similar campaign — called StrongPity — was found using tainted software installers as a dropper to introduce a backdoor for document exfiltration.
“This is likely to become the new normal in terms of the commoditization of APT groups — not just state-sponsored actors, but by anyone seeking their services for personal gain, across all industries,” the cybersecurity firm said.
Using a Tainted Autodesk 3ds Max Plugin
In an advisory published earlier this month, Autodesk warned users about a variant of “PhysXPluginMfx” MAXScript exploit that can corrupt 3ds Max’s settings, run malicious code, and propagate to other MAX files on a Windows system upon loading the infected files into the software.
https://csirt.cy/wp-content/uploads/2020/08/malware-300x247.jpg 300w" alt="" width="728" height="600" class="size-full wp-image-6895 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />
But according to Bitdefender’s forensic analysis, this sketchy MAXScript Encrypted sample (“PhysXPluginStl.mse”) contained an embedded DLL file, which subsequently went on to download additional .NET binaries from the C&C server with the ultimate goal of stealing important documents.
The binaries, in turn, are responsible for downloading other malicious MAXScripts capable of collecting information about the compromised machine and exfiltrating the details to the remote server, which transmits a final payload that can capture screenshots and gather passwords from web browsers such as Firefox, Google Chrome, and Internet Explorer.
Aside from employing a sleep mechanism to lie under the radar and evade detection, Bitdefender researchers also found that the malware authors had an entire toolset for spying upon its victims, including a “HdCrawler” binary, whose job is to enumerate and upload files with specific extensions (.webp, .jpg, .png, .zip, .obb, .uasset, etc.) to the server, and an info-stealer with extensive features.
The information amassed by the stealer ranges from the username, computer name, the IP addresses of network adapters, Windows ProductName, version of the .NET Framework, processors (number of cores, the speed, and other information), total and free RAM available, storage details to the names of processes running on the system, the files set to start automatically following a boot, and the list of recent files accessed.
Bitdefender’s telemetry data also found other similar malware samples communicating with the same C&C server, dating back to just under a month ago, suggesting that the group targets other victims.
It’s recommended that 3ds Max users download the latest version of Security Tools for Autodesk 3ds Max 2021-2015SP1 to identify and remove the PhysXPluginMfx MAXScript malware.
“The sophistication of the attack reveals an APT-style group that had prior knowledge of the company’s security systems and used software applications, carefully planning their attack to infiltrate the company and exfiltrate data undetected,” the researchers said.
“Industrial espionage is nothing new and, since the real-estate industry is highly competitive, with contracts valued at billions of dollars, the stakes are high for winning contracts for luxury projects and could justify turning to mercenary APT groups for gaining a negotiation advantage.”