A new APT-style hacker group is stealing proprietary information by exploiting 3Ds Max plugins.
According to Romanian cybersecurity firm Bitdefender, a sophisticated but relatively new hacker-for-hire group is carrying out espionage operations against businesses across the globe. The group compromised the computer systems of a billion-dollar architecture firm known for its outstanding luxury real-estate projects in the UK, USA, Australia, and Oman.
This group is infecting computers with malware concealed in malicious plugins for the Autodesk 3Ds Max software. It is a popular app used by architecture, gaming, engineering, and software firms for creating professional 3D graphics on computers.
The hackers used a vulnerability found in various Autodesk 3ds Max versions as an attack vector. This vulnerability allows code execution on Windows OS.
On August 10, Autodesk issued a security alert explaining that a malicious plugin dubbed “PhysXPluginMfx” is abusing the MAXScript scripting utility that comes with the 3Ds Max Software. When Bitdefender studied this exploit, it identified that this plugin can deploy a backdoor trojan to steal sensitive files and confidential documents from Windows systems.
The attack’s sophistication reveals that the group already knew about the security systems and software applications used by the company. Using this information, the group carefully planned the attack to compromise the systems and exfiltrate data without getting detected.
Bitdefender researchers assessed that it is mainly an info-stealing campaign and the group is utilizing a South Korea-based C&C infrastructure to achieve its industrial espionage objectives. By exploiting vulnerable Autodesk 3ds Max software; the hackers gain control onto the targeted machines and deploy other malicious tools to strengthen foothold.
Once inside the system, the malware can perform a variety of info-stealing functions, including screen capture, username, computer ID, network adapters’ IP addresses, NET framework version, Windows product name, processors-related information, free and total RAM, process listing, recent files, storage details, and files listings that automatically start when Windows starts up,
The only victim of this group so far is a high-profile architecture firm. However, its C&C infrastructure is currently active and has recorded traffic from malware samples in the US, Japan, South Africa, and South Korea. So, there may be other targets in these regions.
The authors took an interesting approach to avoid attracting attention. If Task Manager or Performance Monitor applications are running and their respective window is visible, then a flag is set, depending on how much of the area is visible to the user; this flag instructs the binary to sleep more and more often (reducing this way the consumption of CPU), researchers concluded in their report.
Bitdefender’s global cybersecurity researcher Liviu Arsene states that hacker-for-hire groups have quickly gained popularity, as many other groups have been identified recently such as Dark Basin, Deceptikons, and StrongPity.
It is a dangerous new trend as cybercriminals are getting more sophisticated and acting “more like mercenaries” offering their services to the “highest bidders,” Arsene added.