AutoCAD malware: Rare but malignant

There's no better way for thieves to steal design secrets than straight from the engineers and designers who create them. CAD software programs are ripe for exploit.

With all the recent industrial espionage, it was only a matter of time before malware developers would take a look at Computer-Aided Design (CAD) programs as a way to exfiltrate proprietary documents and drawings from engineering firms. I can’t think of a better way to steal design secrets than right from the engineer or designer working on them. 

 

CAD has been around since the early 1980s, so there are many packages to choose from. Which software did the digital bad guys go after? The most popular of course—AutoCAD. 

I have several clients in the manufacturing sector, and they all use AutoCAD. Working with these clients, I learned a few things about AutoCAD. For one, it is expensive. So when a company has AutoCAD in place, they tend to stay with the version they bought.

What this does is pave the way for malware coders; they have a sizable population of computers running noncurrent, and more than likely, vulnerable versions of AutoCAD. 

The malware coders have something else in their favor; engineering can involve multiple departments and outside consultants—a perfect way for malware to propagate if certain precautions are not in place. And, I’m finding that precautions are not in place. That’s because most IT pros consider CAD-based malware a non-issue.

ACAD/Medre.A

I tended to agree. The first time I read about an AutoCAD malware was last year when ESET.com reported a strange anomaly on their LiveGrid network. It was strange because the malware attacked AutoCAD, but only in Peru of all places. 

After some investigation, it was determined the malware ACAD/Medre.A was a worm programmed to send AutoCAD drawings via email to an account (you guessed it) in China. The experts at ESET had this to say:

ACAD/Medre.A is a serious example of suspected industrial espionage. Every new design created by a victim is sent automatically to the authors of this malware. Needless to say this can cost the legitimate owner of the intellectual property a lot of money as the cybercriminals could have designs before they even go into production by the original designer.

Something else that ESET pointed out bothered one of my clients when I told them about ACAD/Medre.A: “The attacker may even go so far as to get patents on the product before the inventor has registered it at the patent office. The inventor may not know of the security breach until his patent claim is denied due to prior art.”

This particular client was applying for several patents at the time and under my advisement took several additional precautions. Yet, everyone’s concern (even the client) eventually faded, as CAD-related malware never amounted to anything. That is until a few weeks ago.

ACM_SHENZ.A

That’s when a new trojan popped up on Trend Micro’s radar—ACM_SHENZ.A, and it was targeting AutoCAD programs. But with a twist, the malware was benign. Like most trojans, its job was to gain a foothold on the victim’s computer. 

Once safely entrenched, ACM_SHENZ.A obtains administrative rights which make it simple for the malware to create network shares for all drives. The malware also opens ports: 137, 138, 139, and 445. Doing so allows access to files, printers, and serial ports. 

Obtaining administrative rights also allows the attacker to plant additional malware. It’s this additional malware, experts at Trend Micro suspect will be used to steal drawings and engineering documents. What makes this malware especially deadly is that more than likely users will not consider a file with the .FAS extension unusual and just ignore it. According to Trend Micro, “It appears to be a legitimate AutoCAD component with a .FAS extension, but on analysis it actually opens up systems to exploits, specifically those targeting old vulnerabilities.”

Trend Micro engineers mirrored ESET experts’ sentiment that “being rare” is an advantage afforded AutoCAD malware: “Historically, AutoCAD malware is very rare, although not completely unheard of.”

Final thoughts

AutoCAD malware is still scarce, and it may seem like I’m making a big deal out of nothing. But, it is a big deal to companies that pump time and money into a design, only to have it stolen and patented by someone else. 

I asked the experts what we should be expecting and what additional protection manufacturing companies can put in place. The responses were, “It’s early, we are not sure what the secondary malware payload is.” Their suggestion was to exercise additional security with sensitive drawings. 

More than anything, engineering departments need to be aware that CAD drawings are now a valid attack vector.